Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAPnWRTj6xGZuO7f5ASRKG81uis-kmgrJ2Pws4cyZRv58X38f_g@mail.gmail.com>
Date: Thu, 19 Apr 2018 14:30:56 -0700
From: Ed Cable <edcable@...os.org>
To: user@...eract.apache.org, Dev <dev@...eract.apache.org>, 
	security <security@...che.org>, oss-security@...ts.openwall.com, 
	圆珠笔 <627963028@...com>
Subject: [SECURITY] CVE-2018-1290: Apache Fineract SQL Injection Vulnerability
 - Single quotation escape caused by two continuous SQL parameters

Severity: Critical

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Fineract 1.0.0
Apache Fineract 0.6.0-incubating
Apache Fineract 0.5.0-incubating
Apache Fineract 0.4.0-incubating

Description:

Using a single quotation escape with two continuous SQL parameters can
cause a SQL injection. This could be done in Methods like
retrieveAuditEntries of AuditsApiResource Class
retrieveCommands of MakercheckersApiResource Class

Credit:
This issue was discovered by 圆珠笔 (627963028@...com)

References:
http://fineract.apache.org/
https://cwiki.apache.org/confluence/display/FINERACT/Apache+
Fineract+Security+Report

Regards,
Apache Fineract Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.