Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 19 Apr 2018 14:31:14 -0700
From: Ed Cable <edcable@...os.org>
To: user@...eract.apache.org, Dev <dev@...eract.apache.org>, 
	security <security@...che.org>, oss-security@...ts.openwall.com, 
	圆珠笔 <627963028@...com>
Subject: [SECURITY] CVE-2018-1292: Apache Fineract SQL Injection Vulnerability
 - Injection via reportName parameter

Severity: Critical

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Fineract 1.0.0
Apache Fineract 0.6.0-incubating
Apache Fineract 0.5.0-incubating
Apache Fineract 0.4.0-incubating

Description:

Within the 'getReportType' method, a hacker could inject SQL to read/update
data for which he doesn't have authorization for by way of the 'reportName'
parameter. Apache Fineract exposes different REST end points to query
domain specific
entities with a Query Parameter 'orderBy' which
are appended directly with SQL statements. A hacker/user can inject/draft
the  'orderBy'  query parameter by way of the "order" param  in such a way
to
to read/update the data for which he doesn't have authorization.

Mitigation:
All users should migrate to Apache Fineract 1.1.0 version
https://github.com/apache/fineract/tree/1.1.0


Credit:
This issue was discovered by 圆珠笔 (627963028@...com)

References:
http://fineract.apache.org/
https://cwiki.apache.org/confluence/display/FINERACT/Apache+
Fineract+Security+Report

Regards,
Apache Fineract Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.