Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal
CVE-2022-44635

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Fineract
Vendor: CVE Published:; 29 November 2022

Summary

Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1.

Affected Version(s)

Apache Fineract Apache Fineract 1.8 <= 1.8.0

Apache Fineract Apache Fineract 1.7 <= 1.7.0

References

https://lists.apache.org/thread/t8q6fmh3o6yqmy69qtqxppk9y...

http://www.openwall.com/lists/oss-security/2022/11/29/3

mailing-list

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 29, 2022
Vulnerability Reserved
Nov 2, 2022

Credit

We would like to thank Aman Sapra, co-captain of the Super Guesser CTF team & Security researcher at CRED, for reporting this issue, and the Apache Security team for their assistance. We give kudos and karma to @Aleksandar Vidakovic for resolving this CVE.