Date: Thu, 19 Apr 2018 14:31:14 -0700 From: Ed Cable <edcable@...os.org> To: user@...eract.apache.org, Dev <dev@...eract.apache.org>, security <security@...che.org>, oss-security@...ts.openwall.com, 圆珠笔 <627963028@...com> Subject: [SECURITY] CVE-2018-1292: Apache Fineract SQL Injection Vulnerability - Injection via reportName parameter Severity: Critical Vendor: The Apache Software Foundation Versions Affected: Apache Fineract 1.0.0 Apache Fineract 0.6.0-incubating Apache Fineract 0.5.0-incubating Apache Fineract 0.4.0-incubating Description: Within the 'getReportType' method, a hacker could inject SQL to read/update data for which he doesn't have authorization for by way of the 'reportName' parameter. Apache Fineract exposes different REST end points to query domain specific entities with a Query Parameter 'orderBy' which are appended directly with SQL statements. A hacker/user can inject/draft the 'orderBy' query parameter by way of the "order" param in such a way to to read/update the data for which he doesn't have authorization. Mitigation: All users should migrate to Apache Fineract 1.1.0 version https://github.com/apache/fineract/tree/1.1.0 Credit: This issue was discovered by 圆珠笔 (627963028@...com) References: http://fineract.apache.org/ https://cwiki.apache.org/confluence/display/FINERACT/Apache+ Fineract+Security+Report Regards, Apache Fineract Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.