SQL Injection Vulnerability in Apache Fineract Affecting Multiple Versions
CVE-2018-1290

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Fineract
Vendor: CVE Published:; 20 April 2018

Summary

The vulnerability in Apache Fineract arises from improper handling of single quotation escapes within SQL parameters. By exploiting this flaw in specific methods such as retrieveAuditEntries from the AuditsApiResource Class and retrieveCommands from the MakercheckersApiResource Class, attackers can execute arbitrary SQL commands, potentially compromising the integrity and confidentiality of the database. This highlights the importance of robust input validation to prevent such vulnerabilities.

Affected Version(s)

Apache Fineract 1.0.0

Apache Fineract 0.6.0-incubating

Apache Fineract 0.5.0-incubating

References

https://lists.apache.org/thread.html/69cc2b54b32f0936f40d...

mailing-listx_refsource_MLIST

http://www.securityfocus.com/bid/103975

vdb-entryx_refsource_BID

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 20, 2018
Vulnerability Reserved
Dec 7, 2017