Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 19 Apr 2018 14:30:59 -0700
From: Ed Cable <>
To:, Dev <>, 
	security <>,, 
	圆珠笔 <>
Subject: [SECURITY] CVE-2018-1291: Apache Fineract SQL Injection Vulnerability
 - Order by injection via Order Param

Severity: Critical

The Apache Software Foundation

Versions Affected:
Apache Fineract 1.0.0
Apache Fineract 0.6.0-incubating
Apache Fineract 0.5.0-incubating
Apache Fineract 0.4.0-incubating


Apache Fineract exposes different REST end points to query domain specific
entities with a Query Parameter 'orderBy' which
are appended directly with SQL statements. A hacker/user can inject/draft
the  'orderBy'  query parameter by way of the "order" param  in such a way
to read/update the data for which he doesn't have authorization.

All users should migrate to Apache Fineract 1.1.0 version

This issue was discovered by 圆珠笔 (


Apache Fineract Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.