Apache Fineract CVE-2018-1292 SQL Injection

Authors:Still in             Risk:Critical

CVE:CVE-2018-1292           0day:SQL Injection

0day -id:0DAY-176116         Date:2018-04-29

Summary

Within the ‘getReportType’ method, a hacker could inject SQL to read/update
data for which he doesn’t have authorization for by way of the ‘reportName’
parameter. Apache Fineract exposes different REST end points to query
domain specific entities with a Query Parameter ‘orderBy’ which
are appended directly with SQL statements. A hacker/user can inject/draft
the ‘orderBy’ query parameter by way of the “order” param in such a way
to to read/update the data for which he doesn’t have authorization.

Background

Apache Fineract can be deployed in any environment: cloud or on-premise, on or offline, mobile or PC; it’s extensible enough to support any organizational type or delivery channel, and flexible enough to support any product, service, or methodology. For any organization, big or small, it will provide the client data management, loan and savings portfolio management, integrated real time accounting, and social and financial reporting needed to bring digital financial services in a modern connected world.financial institutions, and service providers to offer financial services to the world’s 2 billion underbanked and unbanked.

Vendor

The Apache Software Foundation

Mitigation

All users should migrate to Apache Fineract 1.1.0 version

https://github.com/apache/fineract/tree/1.1.0

Versions Affected

Apache Fineract 1.0.0
Apache Fineract 0.6.0-incubating
Apache Fineract 0.5.0-incubating
Apache Fineract 0.4.0-incubating

References

http://fineract.apache.org/

https://cwiki.apache.org/confluence/display/FINERACT/Apache+

Fineract+Security+Report

Leave a Reply