You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@fineract.apache.org by Nazeer Shaik <na...@apache.org> on 2017/12/13 09:34:22 UTC
[SECURITY] CVE-2017-5663: Apache Fineract SQL Injection Vulnerability
CVE-2017-5663: Apache Fineract SQL Injection Vulnerability
Severity: Critical
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Fineract 0.6.0-incubating
Apache Fineract 0.5.0-incubating
Apache Fineract 0.4.0-incubating
Description:
Apache Fineract exposes different REST end points to query domain specific
entities with a Query Parameter 'sqlSearch' which
is appended directly with SQL statements. A hacker/user can inject/draft
the 'sqlSearch' query parameter in such a way to
to read/update the data for which he doesn't have authorization.
Mitigation:
All users should migrate to Apache Fineract 1.0.0 version
https://github.com/apache/fineract/tree/1.0.0
Example:
A request to retrieve the Clients with displayName=Thomas GET
https://DomainName/api/v1/clients?sqlSearch=displayName='Thomas'
An attacker/user can use GET https://DomainName/api/v1/clients?sqlSearch=
or (1==1) to retrieve all clients in the system
Credit:
This issue was discovered by Alex Ivanov
References:
http://fineract.apache.org/
https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report
Regards,
Apache Fineract Team
Re: [SECURITY] CVE-2017-5663: Apache Fineract SQL Injection
Vulnerability
Posted by Aleksandar Ivanov <al...@student.manchester.ac.uk>.
Hi Myrle,
My twitter handle is @AlexIvanovBg.
Many thanks,
Alex
________________________________
From: Myrle Krantz <my...@apache.org>
Sent: Wednesday, December 13, 2017 11:36:57 AM
To: dev
Cc: Aleksandar Ivanov
Subject: Re: [SECURITY] CVE-2017-5663: Apache Fineract SQL Injection Vulnerability
Alex,
I'm going to put this out on twitter too. Would you like to be
credited there as well? What's your twitter handle?
Best Regards,
Myrle Krantz
V.P., Apache Fineract
On Wed, Dec 13, 2017 at 10:34 AM, Nazeer Shaik <na...@apache.org> wrote:
> CVE-2017-5663: Apache Fineract SQL Injection Vulnerability
>
> Severity: Critical
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache Fineract 0.6.0-incubating
> Apache Fineract 0.5.0-incubating
> Apache Fineract 0.4.0-incubating
>
> Description:
> Apache Fineract exposes different REST end points to query domain specific
> entities with a Query Parameter 'sqlSearch' which
> is appended directly with SQL statements. A hacker/user can inject/draft
> the 'sqlSearch' query parameter in such a way to
> to read/update the data for which he doesn't have authorization.
>
> Mitigation:
> All users should migrate to Apache Fineract 1.0.0 version
> https://github.com/apache/fineract/tree/1.0.0
>
>
> Example:
> A request to retrieve the Clients with displayName=Thomas GET
> https://DomainName/api/v1/clients?sqlSearch=displayName='Thomas'
> An attacker/user can use GET https://DomainName/api/v1/clients?sqlSearch=
> or (1==1) to retrieve all clients in the system
>
> Credit:
> This issue was discovered by Alex Ivanov
>
> References:
> http://fineract.apache.org/
> https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report
>
> Regards,
> Apache Fineract Team
Re: [SECURITY] CVE-2017-5663: Apache Fineract SQL Injection Vulnerability
Posted by Myrle Krantz <my...@apache.org>.
Alex,
I'm going to put this out on twitter too. Would you like to be
credited there as well? What's your twitter handle?
Best Regards,
Myrle Krantz
V.P., Apache Fineract
On Wed, Dec 13, 2017 at 10:34 AM, Nazeer Shaik <na...@apache.org> wrote:
> CVE-2017-5663: Apache Fineract SQL Injection Vulnerability
>
> Severity: Critical
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache Fineract 0.6.0-incubating
> Apache Fineract 0.5.0-incubating
> Apache Fineract 0.4.0-incubating
>
> Description:
> Apache Fineract exposes different REST end points to query domain specific
> entities with a Query Parameter 'sqlSearch' which
> is appended directly with SQL statements. A hacker/user can inject/draft
> the 'sqlSearch' query parameter in such a way to
> to read/update the data for which he doesn't have authorization.
>
> Mitigation:
> All users should migrate to Apache Fineract 1.0.0 version
> https://github.com/apache/fineract/tree/1.0.0
>
>
> Example:
> A request to retrieve the Clients with displayName=Thomas GET
> https://DomainName/api/v1/clients?sqlSearch=displayName='Thomas'
> An attacker/user can use GET https://DomainName/api/v1/clients?sqlSearch=
> or (1==1) to retrieve all clients in the system
>
> Credit:
> This issue was discovered by Alex Ivanov
>
> References:
> http://fineract.apache.org/
> https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report
>
> Regards,
> Apache Fineract Team