You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@fineract.apache.org by Arnout Engelen <en...@apache.org> on 2022/11/29 14:21:52 UTC
CVE-2022-44635: Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal
Severity: important
Description:
Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1.
Credit:
We would like to thank Aman Sapra, co-captain of the Super Guesser CTF team & Security researcher at CRED, for reporting this issue, and the Apache Security team for their assistance. We give kudos and karma to @Aleksandar Vidakovic for resolving this CVE.
Re: CVE-2022-44635: Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal
Posted by James Dailey <ja...@gmail.com>.
Community -
The fix was released last week at patch 1.7.1 and 1.8.1.
It is recommended that all users update to the latest version of Fineract.
Members of the community have tested the approach (and code fixes) for
other versions.
They can chime in here, and I will be placing additional information on the
wiki at
https://cwiki.apache.org/confluence/display/FINERACT/Fineract+Project+Security+Report
<https://cwiki.apache.org/confluence/display/FINERACT/Fineract+Project+Security+Report>
This also tested our patch process, which was positive.
Thanks
James
James Dailey
On Tue, Nov 29, 2022 at 6:22 AM Arnout Engelen <en...@apache.org> wrote:
> Severity: important
>
> Description:
>
> Apache Fineract allowed an authenticated user to perform remote code
> execution due to a path traversal vulnerability in a file upload component
> of Apache Fineract, allowing an attacker to run remote code. This issue
> affects Apache Fineract version 1.8.0 and prior versions. We recommend
> users to upgrade to 1.8.1.
>
> Credit:
>
> We would like to thank Aman Sapra, co-captain of the Super Guesser CTF
> team & Security researcher at CRED, for reporting this issue, and the
> Apache Security team for their assistance. We give kudos and karma to
> @Aleksandar Vidakovic for resolving this CVE.
>
>