You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@fineract.apache.org by Arnout Engelen <en...@apache.org> on 2022/11/29 14:21:52 UTC

CVE-2022-44635: Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal

Severity: important

Description:

Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code.  This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1.

Credit:

We would like to thank  Aman Sapra, co-captain of the Super Guesser CTF team & Security researcher at CRED, for reporting this issue, and the Apache Security team for their assistance.  We give kudos and karma to @Aleksandar Vidakovic for resolving this CVE.

Re: CVE-2022-44635: Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal

Posted by James Dailey <ja...@gmail.com>.

Community -

The fix was released last week at patch 1.7.1 and 1.8.1.
It is recommended that all users update to the latest version of Fineract.

Members of the community have tested the approach (and code fixes) for
other versions.
They can chime in here, and I will be placing additional information on the
wiki at
https://cwiki.apache.org/confluence/display/FINERACT/Fineract+Project+Security+Report
<https://cwiki.apache.org/confluence/display/FINERACT/Fineract+Project+Security+Report>

This also tested our patch process, which was positive.

Thanks
James

James Dailey

On Tue, Nov 29, 2022 at 6:22 AM Arnout Engelen <en...@apache.org> wrote:

> Severity: important
>
> Description:
>
> Apache Fineract allowed an authenticated user to perform remote code
> execution due to a path traversal vulnerability in a file upload component
> of Apache Fineract, allowing an attacker to run remote code.  This issue
> affects Apache Fineract version 1.8.0 and prior versions. We recommend
> users to upgrade to 1.8.1.
>
> Credit:
>
> We would like to thank  Aman Sapra, co-captain of the Super Guesser CTF
> team & Security researcher at CRED, for reporting this issue, and the
> Apache Security team for their assistance.  We give kudos and karma to
> @Aleksandar Vidakovic for resolving this CVE.
>
>