Date: Thu, 19 Apr 2018 14:30:56 -0700 From: Ed Cable <edcable@...os.org> To: user@...eract.apache.org, Dev <dev@...eract.apache.org>, security <security@...che.org>, oss-security@...ts.openwall.com, 圆珠笔 <627963028@...com> Subject: [SECURITY] CVE-2018-1290: Apache Fineract SQL Injection Vulnerability - Single quotation escape caused by two continuous SQL parameters Severity: Critical Vendor: The Apache Software Foundation Versions Affected: Apache Fineract 1.0.0 Apache Fineract 0.6.0-incubating Apache Fineract 0.5.0-incubating Apache Fineract 0.4.0-incubating Description: Using a single quotation escape with two continuous SQL parameters can cause a SQL injection. This could be done in Methods like retrieveAuditEntries of AuditsApiResource Class retrieveCommands of MakercheckersApiResource Class Credit: This issue was discovered by 圆珠笔 (627963028@...com) References: http://fineract.apache.org/ https://cwiki.apache.org/confluence/display/FINERACT/Apache+ Fineract+Security+Report Regards, Apache Fineract Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.