Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    40 vulnerabilities found for apache fineract by Apache Software Foundation

    CVE-2026-57821 (GCVE-0-2026-57821)

    Vulnerability from nvd – Published: 2026-07-15 09:20 – Updated: 2026-07-15 12:26
    VLAI
    Title
    Apache Fineract: Office list: SQL Injection via Subquery in orderBy
    Summary
    A SQL Injection vulnerability exists in Apache Fineract's Office Search API (GET /api/v1/offices) in versions up to and including 1.14.0. The orderBy request parameter is concatenated into a SQL query without sufficient validation, allowing an authenticated user with permission to view offices to inject arbitrary SQL via a crafted orderBy value. This is a bypass of the ColumnValidator fix introduced for CVE-2024-32838, which does not detect bare subqueries in the ORDER BY position. This can be leveraged to perform time-based blind SQL injection for data exfiltration. Because the injected query blocks the database connection for its full duration, concurrent exploitation can exhaust the application's database connection pool, resulting in denial of service for other users. Users are recommended to upgrade to a version containing the fix.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 0 , ≤ 1.14.0 (semver)
    Unaffected: 1.15.0 (semver)
    Create a notification for this product.
    Credits
    Venkatraman Kumar (@r3dw0lfsec) at Securin Terence Monteiro (@terencemo) Ádám Sághy (@adamsaghy)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57821",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T12:26:07.260895Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T12:26:10.244Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.14.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "1.15.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Venkatraman Kumar (@r3dw0lfsec) at Securin"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Terence Monteiro (@terencemo)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "\u00c1d\u00e1m S\u00e1ghy (@adamsaghy)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A SQL Injection vulnerability exists in Apache Fineract\u0027s Office Search API (\u003ccode\u003eGET /api/v1/offices\u003c/code\u003e) in versions up to and including 1.14.0. The \u003ccode\u003eorderBy\u003c/code\u003e request parameter is concatenated into a SQL query without sufficient validation, allowing an authenticated user with permission to view offices to inject arbitrary SQL via a crafted \u003ccode\u003eorderBy\u003c/code\u003e value. This is a bypass of the \u003ccode\u003eColumnValidator\u003c/code\u003e fix introduced for CVE-2024-32838, which does not detect bare subqueries in the \u003ccode\u003eORDER BY\u003c/code\u003e position. This can be leveraged to perform time-based blind SQL injection for data exfiltration. Because the injected query blocks the database connection for its full duration, concurrent exploitation can exhaust the application\u0027s database connection pool, resulting in denial of service for other users. Users are recommended to upgrade to a version containing the fix."
                }
              ],
              "value": "A SQL Injection vulnerability exists in Apache Fineract\u0027s Office Search API (GET /api/v1/offices) in versions up to and including 1.14.0. The orderBy request parameter is concatenated into a SQL query without sufficient validation, allowing an authenticated user with permission to view offices to inject arbitrary SQL via a crafted orderBy value. This is a bypass of the ColumnValidator fix introduced for CVE-2024-32838, which does not detect bare subqueries in the ORDER BY position. This can be leveraged to perform time-based blind SQL injection for data exfiltration. Because the injected query blocks the database connection for its full duration, concurrent exploitation can exhaust the application\u0027s database connection pool, resulting in denial of service for other users. Users are recommended to upgrade to a version containing the fix."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T09:20:14.675Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/apache/fineract/pull/6048"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/lb7zwdv7qntzy6z05gzf7m8mxw9cbgsj"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/rj5vwh3z2xcvsf0rqwj8kokpbrxkhq4n"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Fineract: Office list: SQL Injection via Subquery in orderBy",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2026-57821",
        "datePublished": "2026-07-15T09:20:09.239Z",
        "dateReserved": "2026-06-25T11:47:18.920Z",
        "dateUpdated": "2026-07-15T12:26:10.244Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56287 (GCVE-0-2026-56287)

    Vulnerability from nvd – Published: 2026-07-15 09:19 – Updated: 2026-07-15 14:32
    VLAI
    Title
    Apache Fineract: Boolean SQL Injection in Client Search API (orderBy parameter) leading to Local File Disclosure
    Summary
    A boolean-based SQL Injection vulnerability exists in Apache Fineract's Client Search API (GET /api/v1/clients) in versions up to and including 1.14.0. The orderBy and sortOrder request parameters are concatenated into a SQL query without sufficient validation, allowing an authenticated user with permission to view clients to inject arbitrary SQL via a crafted orderBy value. This can be leveraged to perform blind boolean-based data extraction and, on MySQL/MariaDB, to disclose arbitrary files readable by the database process via the LOAD_FILE() function. Users are recommended to upgrade to a version containing the fix
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 0 , ≤ 1.14.0 (semver)
    Create a notification for this product.
    Credits
    Anirudh Anand Aman Sapra Terence Monteiro (@terencemo) Ádám Sághy (@adamsaghy)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-07-15T09:40:33.186Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/07/15/2"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56287",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T14:32:04.391476Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T14:32:08.722Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.14.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Anirudh Anand"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Aman Sapra"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Terence Monteiro (@terencemo)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "\u00c1d\u00e1m S\u00e1ghy (@adamsaghy)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A boolean-based SQL Injection vulnerability exists in Apache Fineract\u0027s Client Search API (\u003ccode\u003eGET /api/v1/clients\u003c/code\u003e) in versions up to and including 1.14.0. The \u003ccode\u003eorderBy\u003c/code\u003e and \u003ccode\u003esortOrder\u003c/code\u003e request parameters are concatenated into a SQL query without sufficient validation, allowing an authenticated user with permission to view clients to inject arbitrary SQL via a crafted \u003ccode\u003eorderBy\u003c/code\u003e value. This can be leveraged to perform blind boolean-based data extraction and, on MySQL/MariaDB, to disclose arbitrary files readable by the database process via the \u003ccode\u003eLOAD_FILE()\u003c/code\u003e function. Users are recommended to upgrade to a version containing the fix"
                }
              ],
              "value": "A boolean-based SQL Injection vulnerability exists in Apache Fineract\u0027s Client Search API (GET /api/v1/clients) in versions up to and including 1.14.0. The orderBy and sortOrder request parameters are concatenated into a SQL query without sufficient validation, allowing an authenticated user with permission to view clients to inject arbitrary SQL via a crafted orderBy value. This can be leveraged to perform blind boolean-based data extraction and, on MySQL/MariaDB, to disclose arbitrary files readable by the database process via the LOAD_FILE() function. Users are recommended to upgrade to a version containing the fix"
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T09:19:38.262Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/l5klcj2v0dx63bssvb0gmw1nzzc47col"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/apache/fineract/pull/6020"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Apache Fineract: Boolean SQL Injection in Client Search API (orderBy parameter) leading to Local File Disclosure",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2026-56287",
        "datePublished": "2026-07-15T09:19:38.262Z",
        "dateReserved": "2026-06-20T06:45:41.509Z",
        "dateUpdated": "2026-07-15T14:32:08.722Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-35152 (GCVE-0-2026-35152)

    Vulnerability from nvd – Published: 2026-07-15 09:19 – Updated: 2026-07-15 14:33
    VLAI
    Title
    Apache Fineract: SQL injection in runreports endpoint
    Summary
    A SQL Injection vulnerability exists in Apache Fineract's Report Execution API (runreports endpoint) in versions up to and including 1.14.0. Report parameter values are incorporated into the generated SQL query without sufficient validation, allowing an authenticated user with permission to run reports to inject arbitrary SQL via crafted parameter values. This can be leveraged to perform unauthorized access to data beyond what the report was designed to expose. Users are recommended to upgrade to a version containing the fix.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 0 , ≤ 1.14.0 (semver)
    Create a notification for this product.
    Credits
    JD Security Shenyi Team Geo Chen Quac Tran Terence Monteiro (@terencemo) Ádám Sághy (@adamsaghy) Aleksandar Vidakovic (@vidakovic)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-07-15T09:40:07.010Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/07/15/1"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-35152",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T14:33:02.396413Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T14:33:38.726Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.14.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "JD Security Shenyi Team"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Geo Chen"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Quac Tran"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Terence Monteiro (@terencemo)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "\u00c1d\u00e1m S\u00e1ghy (@adamsaghy)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Aleksandar Vidakovic (@vidakovic)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A SQL Injection vulnerability exists in Apache Fineract\u0027s Report Execution API (\u003ccode\u003erunreports\u003c/code\u003e endpoint) in versions up to and including 1.14.0. Report parameter values are incorporated into the generated SQL query without sufficient validation, allowing an authenticated user with permission to run reports to inject arbitrary SQL via crafted parameter values. This can be leveraged to perform unauthorized access to data beyond what the report was designed to expose. Users are recommended to upgrade to a version containing the fix.\u003cbr\u003e"
                }
              ],
              "value": "A SQL Injection vulnerability exists in Apache Fineract\u0027s Report Execution API (runreports endpoint) in versions up to and including 1.14.0. Report parameter values are incorporated into the generated SQL query without sufficient validation, allowing an authenticated user with permission to run reports to inject arbitrary SQL via crafted parameter values. This can be leveraged to perform unauthorized access to data beyond what the report was designed to expose. Users are recommended to upgrade to a version containing the fix."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T09:19:54.983Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/apache/fineract/pull/5980"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/d3bzcwsbywz7wg9zxvtlkvgmffqjyfn0"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/658yddn0bpxqw2hpxnyk3vqd05bkchg9"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Apache Fineract: SQL injection in runreports endpoint",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2026-35152",
        "datePublished": "2026-07-15T09:19:54.983Z",
        "dateReserved": "2026-04-01T16:47:55.529Z",
        "dateUpdated": "2026-07-15T14:33:38.726Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-58137 (GCVE-0-2025-58137)

    Vulnerability from nvd – Published: 2025-12-12 09:21 – Updated: 2025-12-12 19:35
    VLAI
    Title
    Apache Fineract: IDOR via self-service API
    Summary
    Authorization Bypass Through User-Controlled Key vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 0 , ≤ 1.11.0 (semver)
    Unaffected: 1.12.1 (semver)
    Create a notification for this product.
    Credits
    Peter Chen Ádám Sághy Aleksandar Vidakovic Víctor Romero
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-12-12T10:06:26.103Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/12/11/7"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-58137",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-12T19:34:29.596076Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-12T19:35:44.785Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.11.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "1.12.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Peter Chen"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "\u00c1d\u00e1m S\u00e1ghy"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Aleksandar Vidakovic"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "V\u00edctor Romero"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAuthorization Bypass Through User-Controlled Key vulnerability in Apache Fineract.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1.\u003c/p\u003e\u003cp\u003eUsers are encouraged to upgrade to version 1.13.0, the latest release.\u003c/p\u003e"
                }
              ],
              "value": "Authorization Bypass Through User-Controlled Key vulnerability in Apache Fineract.\n\nThis issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1.\n\nUsers are encouraged to upgrade to version 1.13.0, the latest release."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-12T09:21:00.374Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/gz3zhoghlclch3rdnzyrdcf69c0507ww"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Apache Fineract: IDOR via self-service API",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-58137",
        "datePublished": "2025-12-12T09:21:00.374Z",
        "dateReserved": "2025-08-26T00:04:03.552Z",
        "dateUpdated": "2025-12-12T19:35:44.785Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-58130 (GCVE-0-2025-58130)

    Vulnerability from nvd – Published: 2025-12-12 09:20 – Updated: 2025-12-12 19:38
    VLAI
    Title
    Apache Fineract: Server Key not masked
    Summary
    Insufficiently Protected Credentials vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 0 , ≤ 1.11.0 (semver)
    Unaffected: 1.12.1 (semver)
    Create a notification for this product.
    Credits
    Peter Chen Jose Alberto Hernandez Ádám Sághy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-12-12T10:06:24.418Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/12/11/6"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 9.1,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-58130",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-12T19:37:36.771762Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-12T19:38:02.717Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.11.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "1.12.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Peter Chen"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jose Alberto Hernandez"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "\u00c1d\u00e1m S\u00e1ghy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eInsufficiently Protected Credentials vulnerability in Apache Fineract.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: through 1.11.0.\u0026nbsp;The issue is fixed in version 1.12.1.\u003c/p\u003e\u003cp\u003eUsers are encouraged to upgrade to version 1.13.0, the latest release.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Insufficiently Protected Credentials vulnerability in Apache Fineract.\n\nThis issue affects Apache Fineract: through 1.11.0.\u00a0The issue is fixed in version 1.12.1.\n\nUsers are encouraged to upgrade to version 1.13.0, the latest release."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "low"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522 Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-12T09:20:06.930Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/d9zpkc86zk265523tfvbr8w7gyr6onoy"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Fineract: Server Key not masked",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-58130",
        "datePublished": "2025-12-12T09:20:06.930Z",
        "dateReserved": "2025-08-25T17:22:25.418Z",
        "dateUpdated": "2025-12-12T19:38:02.717Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-23408 (GCVE-0-2025-23408)

    Vulnerability from nvd – Published: 2025-12-12 09:18 – Updated: 2025-12-18 15:34
    VLAI
    Title
    Apache Fineract: weak password policy
    Summary
    Weak Password Requirements vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.10.1. The issue is fixed in version 1.11.0. Users are encouraged to upgrade to version 1.13.0, the latest release.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-521 - Weak Password Requirements
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 0 , ≤ 1.10.1 (semver)
    Unaffected: 1.11.0 (semver)
    Create a notification for this product.
    Credits
    Peter Chen, PayPal Security Kristof Jozsa, BaaSFlow
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-12-12T10:06:07.346Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/12/11/5"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-23408",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-18T15:33:52.566017Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-18T15:34:00.875Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.10.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "1.11.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Chen, PayPal Security"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Kristof Jozsa, BaaSFlow"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eWeak Password Requirements vulnerability in Apache Fineract.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: through 1.10.1.\u0026nbsp;The issue is fixed in version 1.11.0.\u003c/p\u003e\u003cp\u003eUsers are encouraged to upgrade to version 1.13.0, the latest release.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Weak Password Requirements vulnerability in Apache Fineract.\n\nThis issue affects Apache Fineract: through 1.10.1.\u00a0The issue is fixed in version 1.11.0.\n\nUsers are encouraged to upgrade to version 1.13.0, the latest release."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            },
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-521",
                  "description": "CWE-521 Weak Password Requirements",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-12T09:18:59.147Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/bdlb6wl968yh1n48mr5npsk2spo6dncf"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Apache Fineract: weak password policy",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-23408",
        "datePublished": "2025-12-12T09:18:59.147Z",
        "dateReserved": "2025-01-15T23:55:29.758Z",
        "dateUpdated": "2025-12-18T15:34:00.875Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-32838 (GCVE-0-2024-32838)

    Vulnerability from nvd – Published: 2025-02-12 09:44 – Updated: 2025-02-12 18:03
    VLAI
    Title
    Apache Fineract: SQL injection vulnerabilities in offices API endpoint
    Summary
    SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints' query parameter.  Users are recommended to upgrade to version 1.10.1, which fixes this issue. A SQL Validator has been implemented which allows us to configure a series of tests and checks against our SQL queries that will allow us to validate and protect against nearly all potential SQL injection attacks.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 1.4 , ≤ 1.9 (semver)
    Create a notification for this product.
    Credits
    Kabilan S - Security engineer at Zoho Aleksandar Vidakovic
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32838",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-12T14:51:41.347771Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T15:56:18.737Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-02-12T18:03:27.737Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/02/12/1"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.9",
                  "status": "affected",
                  "version": "1.4",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Kabilan S - Security engineer at Zoho"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Aleksandar Vidakovic"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints\u0027 query parameter.\u0026nbsp;\u003cdiv\u003e\u003cbr\u003eUsers are recommended to upgrade to version 1.10.1, which fixes this issue.\u003cbr\u003e\u003cbr\u003eA SQL Validator has been implemented which allows us to configure a series of tests and checks against our SQL queries that will allow us to validate and protect against nearly all potential SQL injection attacks.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints\u0027 query parameter.\u00a0\nUsers are recommended to upgrade to version 1.10.1, which fixes this issue.\n\nA SQL Validator has been implemented which allows us to configure a series of tests and checks against our SQL queries that will allow us to validate and protect against nearly all potential SQL injection attacks."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            },
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-12T09:44:15.943Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/7l88h17pn9nf8zpx5bbojk7ko5oxo1dy"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Fineract: SQL injection vulnerabilities in offices API endpoint",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2024-32838",
        "datePublished": "2025-02-12T09:44:15.943Z",
        "dateReserved": "2024-04-18T17:53:52.406Z",
        "dateUpdated": "2025-02-12T18:03:27.737Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-23539 (GCVE-0-2024-23539)

    Vulnerability from nvd – Published: 2024-03-29 14:36 – Updated: 2025-02-13 17:39
    VLAI
    Title
    Apache Fineract: Under certain system configurations, the sqlSearch parameter for specific endpoints was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5. Users are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 0 , ≤ 1.8.4 (custom)
    Create a notification for this product.
    Credits
    Yash Sancheti of GH Solutions Consultants
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23539",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-08T18:15:17.746807Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-08T20:07:58.442Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:06:25.209Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/g8sv1gnjv716lx2h89jbvjdgtrrjmy7h"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2024/03/29/3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.8.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Yash Sancheti of GH Solutions Consultants"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Fineract.\u003cp\u003eThis issue affects Apache Fineract: \u0026lt;1.8.5.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Fineract.This issue affects Apache Fineract: \u003c1.8.5.\n\nUsers are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "critical"
                },
                "type": "Textual description of severity"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-01T17:09:56.568Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/g8sv1gnjv716lx2h89jbvjdgtrrjmy7h"
            },
            {
              "url": "http://www.openwall.com/lists/oss-security/2024/03/29/3"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Fineract: Under certain system configurations, the sqlSearch parameter for specific endpoints was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2024-23539",
        "datePublished": "2024-03-29T14:36:57.919Z",
        "dateReserved": "2024-01-18T05:12:01.266Z",
        "dateUpdated": "2025-02-13T17:39:46.405Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-23538 (GCVE-0-2024-23538)

    Vulnerability from nvd – Published: 2024-03-29 14:37 – Updated: 2025-02-13 17:39
    VLAI
    Title
    Apache Fineract: Under certain system configurations, the sqlSearch parameter was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5. Users are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 0 , < 1.8.5 (semver)
    Create a notification for this product.
    apache fineract Affected: 0 , < 1.8.5 (semver)
        cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Yash Sancheti Majd Alasfar of ProgressSoft
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:06:25.181Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/by32w2dylzgbqm5940x3wj7519wolqxs"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2024/03/29/2"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "fineract",
                "vendor": "apache",
                "versions": [
                  {
                    "lessThan": "1.8.5",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23538",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-01T19:58:21.744925Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-21T22:45:12.821Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "1.8.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Yash Sancheti"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Majd Alasfar of ProgressSoft"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Fineract.\u003cp\u003eThis issue affects Apache Fineract: \u0026lt;1.8.5.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Fineract.This issue affects Apache Fineract: \u003c1.8.5.\n\nUsers are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-01T18:11:52.233Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/by32w2dylzgbqm5940x3wj7519wolqxs"
            },
            {
              "url": "http://www.openwall.com/lists/oss-security/2024/03/29/2"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Fineract: Under certain system configurations, the sqlSearch parameter was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2024-23538",
        "datePublished": "2024-03-29T14:37:40.374Z",
        "dateReserved": "2024-01-18T05:11:07.977Z",
        "dateUpdated": "2025-02-13T17:39:45.863Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-23537 (GCVE-0-2024-23537)

    Vulnerability from nvd – Published: 2024-03-29 14:38 – Updated: 2025-02-13 17:39
    VLAI
    Title
    Apache Fineract: Under certain circumstances, this vulnerability allowed users, without specific permissions, to escalate their privileges to any role.
    Summary
    Improper Privilege Management vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5. Users are recommended to upgrade to version 1.9.0, which fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 0 , < 1.9.0 (semver)
    Create a notification for this product.
    apache fineract Affected: 0 , < 1.9.0 (custom)
        cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Yash Sancheti
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "fineract",
                "vendor": "apache",
                "versions": [
                  {
                    "lessThan": "1.9.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23537",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-08T18:09:05.990965Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-08T20:06:52.390Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:06:25.238Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/fq1ns4nprw2vqpkwwj9sw45jkwxmt9f1"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2024/03/29/1"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "1.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Yash Sancheti"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Privilege Management vulnerability in Apache Fineract.\u003cp\u003eThis issue affects Apache Fineract: \u0026lt;1.8.5.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.9.0, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Improper Privilege Management vulnerability in Apache Fineract.This issue affects Apache Fineract: \u003c1.8.5.\n\nUsers are recommended to upgrade to version 1.9.0, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-01T18:06:44.197Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/fq1ns4nprw2vqpkwwj9sw45jkwxmt9f1"
            },
            {
              "url": "http://www.openwall.com/lists/oss-security/2024/03/29/1"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Fineract: Under certain circumstances, this vulnerability allowed users, without specific permissions, to escalate their privileges to any role.",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2024-23537",
        "datePublished": "2024-03-29T14:38:05.738Z",
        "dateReserved": "2024-01-18T04:59:16.245Z",
        "dateUpdated": "2025-02-13T17:39:45.238Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-25197 (GCVE-0-2023-25197)

    Vulnerability from nvd – Published: 2023-03-28 11:17 – Updated: 2024-10-23 15:14
    VLAI
    Title
    apache fineract: SQL injection vulnerability in certain procedure calls
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation apache fineract. Authorized users may be able to exploit this for limited impact on components.   This issue affects apache fineract: from 1.4 through 1.8.2.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation apache fineract Affected: 1.4 , ≤ 1.8.2 (semver)
    Create a notification for this product.
    Credits
    Eugene Lim at Cyber Security Group (CSG) Government Technology Agency GOVTECH.sg aleks@apache.org
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:18:36.121Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/v0q9x86sx6f6l2nzr1z0nwm3y9qlng04"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-25197",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-23T15:14:09.196104Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-23T15:14:18.730Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "apache fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.8.2",
                  "status": "affected",
                  "version": "1.4",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eugene Lim at Cyber Security Group (CSG) Government Technology Agency GOVTECH.sg"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "aleks@apache.org"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation apache fineract.\u003cbr\u003e\u003cp\u003eAuthorized users may be able to exploit this for limited impact on components. \u0026nbsp;\u003c/p\u003e\u003cp\u003eThis issue affects apache fineract: from 1.4 through 1.8.2.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation apache fineract.\nAuthorized users may be able to exploit this for limited impact on components. \u00a0\n\nThis issue affects apache fineract: from 1.4 through 1.8.2.\n\n"
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-28T11:17:19.026Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/v0q9x86sx6f6l2nzr1z0nwm3y9qlng04"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "apache fineract: SQL injection vulnerability in certain procedure calls ",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2023-25197",
        "datePublished": "2023-03-28T11:17:19.026Z",
        "dateReserved": "2023-02-06T01:33:31.192Z",
        "dateUpdated": "2024-10-23T15:14:18.730Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-25196 (GCVE-0-2023-25196)

    Vulnerability from nvd – Published: 2023-03-28 11:16 – Updated: 2024-10-23 15:14
    VLAI
    Title
    Apache Fineract: SQL injection vulnerability
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache Fineract. Authorized users may be able to change or add data in certain components.   This issue affects Apache Fineract: from 1.4 through 1.8.2.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 1.4 , ≤ 1.8.2 (semver)
    Create a notification for this product.
    Credits
    Zhang Baocheng at Leng Jing Qi Cai Security Lab Aleks@apache.org
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:18:36.263Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/m9x3vpn3bry4fympkzxnnz4qx0oc0w8m"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-25196",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-23T15:14:35.403529Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-23T15:14:44.993Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.8.2",
                  "status": "affected",
                  "version": "1.4",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": " Zhang Baocheng at Leng Jing Qi Cai Security Lab"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Aleks@apache.org"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation Apache Fineract.\u003cbr\u003e\u003cp\u003eAuthorized users may be able to change or add data in certain components. \u0026nbsp;\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: from 1.4 through 1.8.2.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation Apache Fineract.\nAuthorized users may be able to change or add data in certain components. \u00a0\n\nThis issue affects Apache Fineract: from 1.4 through 1.8.2.\n\n"
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-28T11:16:57.603Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/m9x3vpn3bry4fympkzxnnz4qx0oc0w8m"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Apache Fineract: SQL injection vulnerability ",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2023-25196",
        "datePublished": "2023-03-28T11:16:57.603Z",
        "dateReserved": "2023-02-06T01:32:54.479Z",
        "dateUpdated": "2024-10-23T15:14:44.993Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-25195 (GCVE-0-2023-25195)

    Vulnerability from nvd – Published: 2023-03-28 11:16 – Updated: 2024-10-23 15:16
    VLAI
    Title
    Apache Fineract: SSRF template type vulnerability in certain authenticated users
    Summary
    Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract. Authorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic.  This issue affects Apache Fineract: from 1.4 through 1.8.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 1.4 , ≤ 1.8.3 (semver)
    Create a notification for this product.
    apache fineract Affected: 1.4.0 , ≤ 1.8.3 (custom)
        cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Huydoppa from GHTK Aleksander
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:18:36.247Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/m58fdjmtkfp9h4c0r4l48rv995w3qhb6"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "fineract",
                "vendor": "apache",
                "versions": [
                  {
                    "lessThanOrEqual": "1.8.3",
                    "status": "affected",
                    "version": "1.4.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-25195",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-23T15:15:05.674623Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-23T15:16:08.717Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.8.3",
                  "status": "affected",
                  "version": "1.4",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Huydoppa from GHTK "
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Aleksander"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract.\u003cbr\u003e\u003cp\u003eAuthorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: from 1.4 through 1.8.3.\u003c/p\u003e"
                }
              ],
              "value": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract.\nAuthorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic.\u00a0\n\nThis issue affects Apache Fineract: from 1.4 through 1.8.3.\n\n"
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-28T11:16:28.304Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/m58fdjmtkfp9h4c0r4l48rv995w3qhb6"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Apache Fineract: SSRF template type vulnerability in certain authenticated users",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2023-25195",
        "datePublished": "2023-03-28T11:16:28.304Z",
        "dateReserved": "2023-02-06T01:32:05.395Z",
        "dateUpdated": "2024-10-23T15:16:08.717Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-44635 (GCVE-0-2022-44635)

    Vulnerability from nvd – Published: 2022-11-29 00:00 – Updated: 2025-04-25 14:51
    VLAI
    Title
    Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal
    Summary
    Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: Apache Fineract 1.8 , ≤ 1.8.0 (custom)
    Affected: Apache Fineract 1.7 , ≤ 1.7.0 (custom)
    Create a notification for this product.
    Credits
    We would like to thank Aman Sapra, co-captain of the Super Guesser CTF team & Security researcher at CRED, for reporting this issue, and the Apache Security team for their assistance. We give kudos and karma to @Aleksandar Vidakovic for resolving this CVE.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T13:54:03.993Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/t8q6fmh3o6yqmy69qtqxppk9yg9wfybg"
              },
              {
                "name": "[oss-security] 20221129 CVE-2022-44635: Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/11/29/3"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-44635",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-25T14:50:47.128187Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-25T14:51:14.718Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.8.0",
                  "status": "affected",
                  "version": "Apache Fineract 1.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.7.0",
                  "status": "affected",
                  "version": "Apache Fineract 1.7",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "We would like to thank  Aman Sapra, co-captain of the Super Guesser CTF team \u0026 Security researcher at CRED, for reporting this issue, and the Apache Security team for their assistance.  We give kudos and karma to @Aleksandar Vidakovic for resolving this CVE. "
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "other": "important"
                },
                "type": "unknown"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-11-29T00:00:00.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "url": "https://lists.apache.org/thread/t8q6fmh3o6yqmy69qtqxppk9yg9wfybg"
            },
            {
              "name": "[oss-security] 20221129 CVE-2022-44635: Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/11/29/3"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2022-44635",
        "datePublished": "2022-11-29T00:00:00.000Z",
        "dateReserved": "2022-11-02T00:00:00.000Z",
        "dateUpdated": "2025-04-25T14:51:14.718Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-17514 (GCVE-0-2020-17514)

    Vulnerability from nvd – Published: 2021-05-27 12:10 – Updated: 2024-08-04 14:00
    VLAI
    Title
    disabled hostname verificiation
    Summary
    Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful.
    Severity
    No CVSS data available.
    CWE
    • Missing Hostname Verification
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: Apache Fineract , < 1.5.0 (custom)
    Create a notification for this product.
    Credits
    We would like to thank Simon Gerst at https://github.com/intrigus-lgtm for reporting this issue
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T14:00:48.549Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://issues.apache.org/jira/browse/FINERACT-1211"
              },
              {
                "name": "[fineract-dev] 20210527 Re: Release 1.5.0 fixed security issue CVE-2020-17514",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc011b25289c8a6e14f8bc6d07e727382a1df3c8cf2aa5369598bbf64%40%3Cdev.fineract.apache.org%3E"
              },
              {
                "name": "[oss-security] 20210527 CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2021/05/27/2"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "1.5.0",
                  "status": "affected",
                  "version": "Apache Fineract",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "We would like to thank Simon Gerst at https://github.com/intrigus-lgtm  for reporting this issue"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Missing Hostname Verification",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-05-27T17:06:10.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://issues.apache.org/jira/browse/FINERACT-1211"
            },
            {
              "name": "[fineract-dev] 20210527 Re: Release 1.5.0 fixed security issue CVE-2020-17514",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rc011b25289c8a6e14f8bc6d07e727382a1df3c8cf2aa5369598bbf64%40%3Cdev.fineract.apache.org%3E"
            },
            {
              "name": "[oss-security] 20210527 CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/05/27/2"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "disabled hostname verificiation",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2020-17514",
              "STATE": "PUBLIC",
              "TITLE": "disabled hostname verificiation"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Fineract",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "Apache Fineract",
                                "version_value": "1.5.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "We would like to thank Simon Gerst at https://github.com/intrigus-lgtm  for reporting this issue"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Missing Hostname Verification"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://issues.apache.org/jira/browse/FINERACT-1211",
                  "refsource": "MISC",
                  "url": "https://issues.apache.org/jira/browse/FINERACT-1211"
                },
                {
                  "name": "[fineract-dev] 20210527 Re: Release 1.5.0 fixed security issue CVE-2020-17514",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rc011b25289c8a6e14f8bc6d07e727382a1df3c8cf2aa5369598bbf64@%3Cdev.fineract.apache.org%3E"
                },
                {
                  "name": "[oss-security] 20210527 CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2021/05/27/2"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2020-17514",
        "datePublished": "2021-05-27T12:10:10.000Z",
        "dateReserved": "2020-08-12T00:00:00.000Z",
        "dateUpdated": "2024-08-04T14:00:48.549Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-57821 (GCVE-0-2026-57821)

    Vulnerability from cvelistv5 – Published: 2026-07-15 09:20 – Updated: 2026-07-15 12:26
    VLAI
    Title
    Apache Fineract: Office list: SQL Injection via Subquery in orderBy
    Summary
    A SQL Injection vulnerability exists in Apache Fineract's Office Search API (GET /api/v1/offices) in versions up to and including 1.14.0. The orderBy request parameter is concatenated into a SQL query without sufficient validation, allowing an authenticated user with permission to view offices to inject arbitrary SQL via a crafted orderBy value. This is a bypass of the ColumnValidator fix introduced for CVE-2024-32838, which does not detect bare subqueries in the ORDER BY position. This can be leveraged to perform time-based blind SQL injection for data exfiltration. Because the injected query blocks the database connection for its full duration, concurrent exploitation can exhaust the application's database connection pool, resulting in denial of service for other users. Users are recommended to upgrade to a version containing the fix.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 0 , ≤ 1.14.0 (semver)
    Unaffected: 1.15.0 (semver)
    Create a notification for this product.
    Credits
    Venkatraman Kumar (@r3dw0lfsec) at Securin Terence Monteiro (@terencemo) Ádám Sághy (@adamsaghy)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57821",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T12:26:07.260895Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T12:26:10.244Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.14.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "1.15.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Venkatraman Kumar (@r3dw0lfsec) at Securin"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Terence Monteiro (@terencemo)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "\u00c1d\u00e1m S\u00e1ghy (@adamsaghy)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A SQL Injection vulnerability exists in Apache Fineract\u0027s Office Search API (\u003ccode\u003eGET /api/v1/offices\u003c/code\u003e) in versions up to and including 1.14.0. The \u003ccode\u003eorderBy\u003c/code\u003e request parameter is concatenated into a SQL query without sufficient validation, allowing an authenticated user with permission to view offices to inject arbitrary SQL via a crafted \u003ccode\u003eorderBy\u003c/code\u003e value. This is a bypass of the \u003ccode\u003eColumnValidator\u003c/code\u003e fix introduced for CVE-2024-32838, which does not detect bare subqueries in the \u003ccode\u003eORDER BY\u003c/code\u003e position. This can be leveraged to perform time-based blind SQL injection for data exfiltration. Because the injected query blocks the database connection for its full duration, concurrent exploitation can exhaust the application\u0027s database connection pool, resulting in denial of service for other users. Users are recommended to upgrade to a version containing the fix."
                }
              ],
              "value": "A SQL Injection vulnerability exists in Apache Fineract\u0027s Office Search API (GET /api/v1/offices) in versions up to and including 1.14.0. The orderBy request parameter is concatenated into a SQL query without sufficient validation, allowing an authenticated user with permission to view offices to inject arbitrary SQL via a crafted orderBy value. This is a bypass of the ColumnValidator fix introduced for CVE-2024-32838, which does not detect bare subqueries in the ORDER BY position. This can be leveraged to perform time-based blind SQL injection for data exfiltration. Because the injected query blocks the database connection for its full duration, concurrent exploitation can exhaust the application\u0027s database connection pool, resulting in denial of service for other users. Users are recommended to upgrade to a version containing the fix."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T09:20:14.675Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/apache/fineract/pull/6048"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/lb7zwdv7qntzy6z05gzf7m8mxw9cbgsj"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/rj5vwh3z2xcvsf0rqwj8kokpbrxkhq4n"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Fineract: Office list: SQL Injection via Subquery in orderBy",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2026-57821",
        "datePublished": "2026-07-15T09:20:09.239Z",
        "dateReserved": "2026-06-25T11:47:18.920Z",
        "dateUpdated": "2026-07-15T12:26:10.244Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-35152 (GCVE-0-2026-35152)

    Vulnerability from cvelistv5 – Published: 2026-07-15 09:19 – Updated: 2026-07-15 14:33
    VLAI
    Title
    Apache Fineract: SQL injection in runreports endpoint
    Summary
    A SQL Injection vulnerability exists in Apache Fineract's Report Execution API (runreports endpoint) in versions up to and including 1.14.0. Report parameter values are incorporated into the generated SQL query without sufficient validation, allowing an authenticated user with permission to run reports to inject arbitrary SQL via crafted parameter values. This can be leveraged to perform unauthorized access to data beyond what the report was designed to expose. Users are recommended to upgrade to a version containing the fix.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 0 , ≤ 1.14.0 (semver)
    Create a notification for this product.
    Credits
    JD Security Shenyi Team Geo Chen Quac Tran Terence Monteiro (@terencemo) Ádám Sághy (@adamsaghy) Aleksandar Vidakovic (@vidakovic)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-07-15T09:40:07.010Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/07/15/1"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-35152",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T14:33:02.396413Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T14:33:38.726Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.14.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "JD Security Shenyi Team"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Geo Chen"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Quac Tran"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Terence Monteiro (@terencemo)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "\u00c1d\u00e1m S\u00e1ghy (@adamsaghy)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Aleksandar Vidakovic (@vidakovic)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A SQL Injection vulnerability exists in Apache Fineract\u0027s Report Execution API (\u003ccode\u003erunreports\u003c/code\u003e endpoint) in versions up to and including 1.14.0. Report parameter values are incorporated into the generated SQL query without sufficient validation, allowing an authenticated user with permission to run reports to inject arbitrary SQL via crafted parameter values. This can be leveraged to perform unauthorized access to data beyond what the report was designed to expose. Users are recommended to upgrade to a version containing the fix.\u003cbr\u003e"
                }
              ],
              "value": "A SQL Injection vulnerability exists in Apache Fineract\u0027s Report Execution API (runreports endpoint) in versions up to and including 1.14.0. Report parameter values are incorporated into the generated SQL query without sufficient validation, allowing an authenticated user with permission to run reports to inject arbitrary SQL via crafted parameter values. This can be leveraged to perform unauthorized access to data beyond what the report was designed to expose. Users are recommended to upgrade to a version containing the fix."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T09:19:54.983Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/apache/fineract/pull/5980"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/d3bzcwsbywz7wg9zxvtlkvgmffqjyfn0"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/658yddn0bpxqw2hpxnyk3vqd05bkchg9"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Apache Fineract: SQL injection in runreports endpoint",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2026-35152",
        "datePublished": "2026-07-15T09:19:54.983Z",
        "dateReserved": "2026-04-01T16:47:55.529Z",
        "dateUpdated": "2026-07-15T14:33:38.726Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56287 (GCVE-0-2026-56287)

    Vulnerability from cvelistv5 – Published: 2026-07-15 09:19 – Updated: 2026-07-15 14:32
    VLAI
    Title
    Apache Fineract: Boolean SQL Injection in Client Search API (orderBy parameter) leading to Local File Disclosure
    Summary
    A boolean-based SQL Injection vulnerability exists in Apache Fineract's Client Search API (GET /api/v1/clients) in versions up to and including 1.14.0. The orderBy and sortOrder request parameters are concatenated into a SQL query without sufficient validation, allowing an authenticated user with permission to view clients to inject arbitrary SQL via a crafted orderBy value. This can be leveraged to perform blind boolean-based data extraction and, on MySQL/MariaDB, to disclose arbitrary files readable by the database process via the LOAD_FILE() function. Users are recommended to upgrade to a version containing the fix
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 0 , ≤ 1.14.0 (semver)
    Create a notification for this product.
    Credits
    Anirudh Anand Aman Sapra Terence Monteiro (@terencemo) Ádám Sághy (@adamsaghy)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-07-15T09:40:33.186Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/07/15/2"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56287",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T14:32:04.391476Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T14:32:08.722Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.14.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Anirudh Anand"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Aman Sapra"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Terence Monteiro (@terencemo)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "\u00c1d\u00e1m S\u00e1ghy (@adamsaghy)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A boolean-based SQL Injection vulnerability exists in Apache Fineract\u0027s Client Search API (\u003ccode\u003eGET /api/v1/clients\u003c/code\u003e) in versions up to and including 1.14.0. The \u003ccode\u003eorderBy\u003c/code\u003e and \u003ccode\u003esortOrder\u003c/code\u003e request parameters are concatenated into a SQL query without sufficient validation, allowing an authenticated user with permission to view clients to inject arbitrary SQL via a crafted \u003ccode\u003eorderBy\u003c/code\u003e value. This can be leveraged to perform blind boolean-based data extraction and, on MySQL/MariaDB, to disclose arbitrary files readable by the database process via the \u003ccode\u003eLOAD_FILE()\u003c/code\u003e function. Users are recommended to upgrade to a version containing the fix"
                }
              ],
              "value": "A boolean-based SQL Injection vulnerability exists in Apache Fineract\u0027s Client Search API (GET /api/v1/clients) in versions up to and including 1.14.0. The orderBy and sortOrder request parameters are concatenated into a SQL query without sufficient validation, allowing an authenticated user with permission to view clients to inject arbitrary SQL via a crafted orderBy value. This can be leveraged to perform blind boolean-based data extraction and, on MySQL/MariaDB, to disclose arbitrary files readable by the database process via the LOAD_FILE() function. Users are recommended to upgrade to a version containing the fix"
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T09:19:38.262Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/l5klcj2v0dx63bssvb0gmw1nzzc47col"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/apache/fineract/pull/6020"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Apache Fineract: Boolean SQL Injection in Client Search API (orderBy parameter) leading to Local File Disclosure",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2026-56287",
        "datePublished": "2026-07-15T09:19:38.262Z",
        "dateReserved": "2026-06-20T06:45:41.509Z",
        "dateUpdated": "2026-07-15T14:32:08.722Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-58137 (GCVE-0-2025-58137)

    Vulnerability from cvelistv5 – Published: 2025-12-12 09:21 – Updated: 2025-12-12 19:35
    VLAI
    Title
    Apache Fineract: IDOR via self-service API
    Summary
    Authorization Bypass Through User-Controlled Key vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 0 , ≤ 1.11.0 (semver)
    Unaffected: 1.12.1 (semver)
    Create a notification for this product.
    Credits
    Peter Chen Ádám Sághy Aleksandar Vidakovic Víctor Romero
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-12-12T10:06:26.103Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/12/11/7"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-58137",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-12T19:34:29.596076Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-12T19:35:44.785Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.11.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "1.12.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Peter Chen"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "\u00c1d\u00e1m S\u00e1ghy"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Aleksandar Vidakovic"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "V\u00edctor Romero"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAuthorization Bypass Through User-Controlled Key vulnerability in Apache Fineract.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1.\u003c/p\u003e\u003cp\u003eUsers are encouraged to upgrade to version 1.13.0, the latest release.\u003c/p\u003e"
                }
              ],
              "value": "Authorization Bypass Through User-Controlled Key vulnerability in Apache Fineract.\n\nThis issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1.\n\nUsers are encouraged to upgrade to version 1.13.0, the latest release."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-12T09:21:00.374Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/gz3zhoghlclch3rdnzyrdcf69c0507ww"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Apache Fineract: IDOR via self-service API",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-58137",
        "datePublished": "2025-12-12T09:21:00.374Z",
        "dateReserved": "2025-08-26T00:04:03.552Z",
        "dateUpdated": "2025-12-12T19:35:44.785Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-58130 (GCVE-0-2025-58130)

    Vulnerability from cvelistv5 – Published: 2025-12-12 09:20 – Updated: 2025-12-12 19:38
    VLAI
    Title
    Apache Fineract: Server Key not masked
    Summary
    Insufficiently Protected Credentials vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 0 , ≤ 1.11.0 (semver)
    Unaffected: 1.12.1 (semver)
    Create a notification for this product.
    Credits
    Peter Chen Jose Alberto Hernandez Ádám Sághy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-12-12T10:06:24.418Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/12/11/6"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 9.1,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-58130",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-12T19:37:36.771762Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-12T19:38:02.717Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.11.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "1.12.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Peter Chen"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jose Alberto Hernandez"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "\u00c1d\u00e1m S\u00e1ghy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eInsufficiently Protected Credentials vulnerability in Apache Fineract.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: through 1.11.0.\u0026nbsp;The issue is fixed in version 1.12.1.\u003c/p\u003e\u003cp\u003eUsers are encouraged to upgrade to version 1.13.0, the latest release.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Insufficiently Protected Credentials vulnerability in Apache Fineract.\n\nThis issue affects Apache Fineract: through 1.11.0.\u00a0The issue is fixed in version 1.12.1.\n\nUsers are encouraged to upgrade to version 1.13.0, the latest release."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "low"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522 Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-12T09:20:06.930Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/d9zpkc86zk265523tfvbr8w7gyr6onoy"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Fineract: Server Key not masked",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-58130",
        "datePublished": "2025-12-12T09:20:06.930Z",
        "dateReserved": "2025-08-25T17:22:25.418Z",
        "dateUpdated": "2025-12-12T19:38:02.717Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-23408 (GCVE-0-2025-23408)

    Vulnerability from cvelistv5 – Published: 2025-12-12 09:18 – Updated: 2025-12-18 15:34
    VLAI
    Title
    Apache Fineract: weak password policy
    Summary
    Weak Password Requirements vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.10.1. The issue is fixed in version 1.11.0. Users are encouraged to upgrade to version 1.13.0, the latest release.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-521 - Weak Password Requirements
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 0 , ≤ 1.10.1 (semver)
    Unaffected: 1.11.0 (semver)
    Create a notification for this product.
    Credits
    Peter Chen, PayPal Security Kristof Jozsa, BaaSFlow
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-12-12T10:06:07.346Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/12/11/5"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-23408",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-18T15:33:52.566017Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-18T15:34:00.875Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.10.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "1.11.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Chen, PayPal Security"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Kristof Jozsa, BaaSFlow"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eWeak Password Requirements vulnerability in Apache Fineract.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: through 1.10.1.\u0026nbsp;The issue is fixed in version 1.11.0.\u003c/p\u003e\u003cp\u003eUsers are encouraged to upgrade to version 1.13.0, the latest release.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Weak Password Requirements vulnerability in Apache Fineract.\n\nThis issue affects Apache Fineract: through 1.10.1.\u00a0The issue is fixed in version 1.11.0.\n\nUsers are encouraged to upgrade to version 1.13.0, the latest release."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            },
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-521",
                  "description": "CWE-521 Weak Password Requirements",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-12T09:18:59.147Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/bdlb6wl968yh1n48mr5npsk2spo6dncf"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Apache Fineract: weak password policy",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-23408",
        "datePublished": "2025-12-12T09:18:59.147Z",
        "dateReserved": "2025-01-15T23:55:29.758Z",
        "dateUpdated": "2025-12-18T15:34:00.875Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-32838 (GCVE-0-2024-32838)

    Vulnerability from cvelistv5 – Published: 2025-02-12 09:44 – Updated: 2025-02-12 18:03
    VLAI
    Title
    Apache Fineract: SQL injection vulnerabilities in offices API endpoint
    Summary
    SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints' query parameter.  Users are recommended to upgrade to version 1.10.1, which fixes this issue. A SQL Validator has been implemented which allows us to configure a series of tests and checks against our SQL queries that will allow us to validate and protect against nearly all potential SQL injection attacks.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 1.4 , ≤ 1.9 (semver)
    Create a notification for this product.
    Credits
    Kabilan S - Security engineer at Zoho Aleksandar Vidakovic
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32838",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-12T14:51:41.347771Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T15:56:18.737Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-02-12T18:03:27.737Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/02/12/1"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.9",
                  "status": "affected",
                  "version": "1.4",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Kabilan S - Security engineer at Zoho"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Aleksandar Vidakovic"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints\u0027 query parameter.\u0026nbsp;\u003cdiv\u003e\u003cbr\u003eUsers are recommended to upgrade to version 1.10.1, which fixes this issue.\u003cbr\u003e\u003cbr\u003eA SQL Validator has been implemented which allows us to configure a series of tests and checks against our SQL queries that will allow us to validate and protect against nearly all potential SQL injection attacks.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints\u0027 query parameter.\u00a0\nUsers are recommended to upgrade to version 1.10.1, which fixes this issue.\n\nA SQL Validator has been implemented which allows us to configure a series of tests and checks against our SQL queries that will allow us to validate and protect against nearly all potential SQL injection attacks."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            },
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-12T09:44:15.943Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/7l88h17pn9nf8zpx5bbojk7ko5oxo1dy"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Fineract: SQL injection vulnerabilities in offices API endpoint",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2024-32838",
        "datePublished": "2025-02-12T09:44:15.943Z",
        "dateReserved": "2024-04-18T17:53:52.406Z",
        "dateUpdated": "2025-02-12T18:03:27.737Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-23537 (GCVE-0-2024-23537)

    Vulnerability from cvelistv5 – Published: 2024-03-29 14:38 – Updated: 2025-02-13 17:39
    VLAI
    Title
    Apache Fineract: Under certain circumstances, this vulnerability allowed users, without specific permissions, to escalate their privileges to any role.
    Summary
    Improper Privilege Management vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5. Users are recommended to upgrade to version 1.9.0, which fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 0 , < 1.9.0 (semver)
    Create a notification for this product.
    apache fineract Affected: 0 , < 1.9.0 (custom)
        cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Yash Sancheti
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "fineract",
                "vendor": "apache",
                "versions": [
                  {
                    "lessThan": "1.9.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23537",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-08T18:09:05.990965Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-08T20:06:52.390Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:06:25.238Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/fq1ns4nprw2vqpkwwj9sw45jkwxmt9f1"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2024/03/29/1"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "1.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Yash Sancheti"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Privilege Management vulnerability in Apache Fineract.\u003cp\u003eThis issue affects Apache Fineract: \u0026lt;1.8.5.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.9.0, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Improper Privilege Management vulnerability in Apache Fineract.This issue affects Apache Fineract: \u003c1.8.5.\n\nUsers are recommended to upgrade to version 1.9.0, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-01T18:06:44.197Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/fq1ns4nprw2vqpkwwj9sw45jkwxmt9f1"
            },
            {
              "url": "http://www.openwall.com/lists/oss-security/2024/03/29/1"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Fineract: Under certain circumstances, this vulnerability allowed users, without specific permissions, to escalate their privileges to any role.",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2024-23537",
        "datePublished": "2024-03-29T14:38:05.738Z",
        "dateReserved": "2024-01-18T04:59:16.245Z",
        "dateUpdated": "2025-02-13T17:39:45.238Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-23538 (GCVE-0-2024-23538)

    Vulnerability from cvelistv5 – Published: 2024-03-29 14:37 – Updated: 2025-02-13 17:39
    VLAI
    Title
    Apache Fineract: Under certain system configurations, the sqlSearch parameter was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5. Users are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 0 , < 1.8.5 (semver)
    Create a notification for this product.
    apache fineract Affected: 0 , < 1.8.5 (semver)
        cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Yash Sancheti Majd Alasfar of ProgressSoft
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:06:25.181Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/by32w2dylzgbqm5940x3wj7519wolqxs"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2024/03/29/2"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "fineract",
                "vendor": "apache",
                "versions": [
                  {
                    "lessThan": "1.8.5",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23538",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-01T19:58:21.744925Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-21T22:45:12.821Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "1.8.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Yash Sancheti"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Majd Alasfar of ProgressSoft"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Fineract.\u003cp\u003eThis issue affects Apache Fineract: \u0026lt;1.8.5.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Fineract.This issue affects Apache Fineract: \u003c1.8.5.\n\nUsers are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-01T18:11:52.233Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/by32w2dylzgbqm5940x3wj7519wolqxs"
            },
            {
              "url": "http://www.openwall.com/lists/oss-security/2024/03/29/2"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Fineract: Under certain system configurations, the sqlSearch parameter was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2024-23538",
        "datePublished": "2024-03-29T14:37:40.374Z",
        "dateReserved": "2024-01-18T05:11:07.977Z",
        "dateUpdated": "2025-02-13T17:39:45.863Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-23539 (GCVE-0-2024-23539)

    Vulnerability from cvelistv5 – Published: 2024-03-29 14:36 – Updated: 2025-02-13 17:39
    VLAI
    Title
    Apache Fineract: Under certain system configurations, the sqlSearch parameter for specific endpoints was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5. Users are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 0 , ≤ 1.8.4 (custom)
    Create a notification for this product.
    Credits
    Yash Sancheti of GH Solutions Consultants
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23539",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-08T18:15:17.746807Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-08T20:07:58.442Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:06:25.209Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/g8sv1gnjv716lx2h89jbvjdgtrrjmy7h"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2024/03/29/3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.8.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Yash Sancheti of GH Solutions Consultants"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Fineract.\u003cp\u003eThis issue affects Apache Fineract: \u0026lt;1.8.5.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Fineract.This issue affects Apache Fineract: \u003c1.8.5.\n\nUsers are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "critical"
                },
                "type": "Textual description of severity"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-01T17:09:56.568Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/g8sv1gnjv716lx2h89jbvjdgtrrjmy7h"
            },
            {
              "url": "http://www.openwall.com/lists/oss-security/2024/03/29/3"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Fineract: Under certain system configurations, the sqlSearch parameter for specific endpoints was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2024-23539",
        "datePublished": "2024-03-29T14:36:57.919Z",
        "dateReserved": "2024-01-18T05:12:01.266Z",
        "dateUpdated": "2025-02-13T17:39:46.405Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-25197 (GCVE-0-2023-25197)

    Vulnerability from cvelistv5 – Published: 2023-03-28 11:17 – Updated: 2024-10-23 15:14
    VLAI
    Title
    apache fineract: SQL injection vulnerability in certain procedure calls
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation apache fineract. Authorized users may be able to exploit this for limited impact on components.   This issue affects apache fineract: from 1.4 through 1.8.2.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation apache fineract Affected: 1.4 , ≤ 1.8.2 (semver)
    Create a notification for this product.
    Credits
    Eugene Lim at Cyber Security Group (CSG) Government Technology Agency GOVTECH.sg aleks@apache.org
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:18:36.121Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/v0q9x86sx6f6l2nzr1z0nwm3y9qlng04"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-25197",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-23T15:14:09.196104Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-23T15:14:18.730Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "apache fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.8.2",
                  "status": "affected",
                  "version": "1.4",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eugene Lim at Cyber Security Group (CSG) Government Technology Agency GOVTECH.sg"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "aleks@apache.org"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation apache fineract.\u003cbr\u003e\u003cp\u003eAuthorized users may be able to exploit this for limited impact on components. \u0026nbsp;\u003c/p\u003e\u003cp\u003eThis issue affects apache fineract: from 1.4 through 1.8.2.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation apache fineract.\nAuthorized users may be able to exploit this for limited impact on components. \u00a0\n\nThis issue affects apache fineract: from 1.4 through 1.8.2.\n\n"
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-28T11:17:19.026Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/v0q9x86sx6f6l2nzr1z0nwm3y9qlng04"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "apache fineract: SQL injection vulnerability in certain procedure calls ",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2023-25197",
        "datePublished": "2023-03-28T11:17:19.026Z",
        "dateReserved": "2023-02-06T01:33:31.192Z",
        "dateUpdated": "2024-10-23T15:14:18.730Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-25196 (GCVE-0-2023-25196)

    Vulnerability from cvelistv5 – Published: 2023-03-28 11:16 – Updated: 2024-10-23 15:14
    VLAI
    Title
    Apache Fineract: SQL injection vulnerability
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache Fineract. Authorized users may be able to change or add data in certain components.   This issue affects Apache Fineract: from 1.4 through 1.8.2.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 1.4 , ≤ 1.8.2 (semver)
    Create a notification for this product.
    Credits
    Zhang Baocheng at Leng Jing Qi Cai Security Lab Aleks@apache.org
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:18:36.263Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/m9x3vpn3bry4fympkzxnnz4qx0oc0w8m"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-25196",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-23T15:14:35.403529Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-23T15:14:44.993Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.8.2",
                  "status": "affected",
                  "version": "1.4",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": " Zhang Baocheng at Leng Jing Qi Cai Security Lab"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Aleks@apache.org"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation Apache Fineract.\u003cbr\u003e\u003cp\u003eAuthorized users may be able to change or add data in certain components. \u0026nbsp;\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: from 1.4 through 1.8.2.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation Apache Fineract.\nAuthorized users may be able to change or add data in certain components. \u00a0\n\nThis issue affects Apache Fineract: from 1.4 through 1.8.2.\n\n"
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-28T11:16:57.603Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/m9x3vpn3bry4fympkzxnnz4qx0oc0w8m"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Apache Fineract: SQL injection vulnerability ",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2023-25196",
        "datePublished": "2023-03-28T11:16:57.603Z",
        "dateReserved": "2023-02-06T01:32:54.479Z",
        "dateUpdated": "2024-10-23T15:14:44.993Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-25195 (GCVE-0-2023-25195)

    Vulnerability from cvelistv5 – Published: 2023-03-28 11:16 – Updated: 2024-10-23 15:16
    VLAI
    Title
    Apache Fineract: SSRF template type vulnerability in certain authenticated users
    Summary
    Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract. Authorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic.  This issue affects Apache Fineract: from 1.4 through 1.8.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: 1.4 , ≤ 1.8.3 (semver)
    Create a notification for this product.
    apache fineract Affected: 1.4.0 , ≤ 1.8.3 (custom)
        cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Huydoppa from GHTK Aleksander
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:18:36.247Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/m58fdjmtkfp9h4c0r4l48rv995w3qhb6"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "fineract",
                "vendor": "apache",
                "versions": [
                  {
                    "lessThanOrEqual": "1.8.3",
                    "status": "affected",
                    "version": "1.4.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-25195",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-23T15:15:05.674623Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-23T15:16:08.717Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.8.3",
                  "status": "affected",
                  "version": "1.4",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Huydoppa from GHTK "
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Aleksander"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract.\u003cbr\u003e\u003cp\u003eAuthorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: from 1.4 through 1.8.3.\u003c/p\u003e"
                }
              ],
              "value": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract.\nAuthorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic.\u00a0\n\nThis issue affects Apache Fineract: from 1.4 through 1.8.3.\n\n"
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-28T11:16:28.304Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/m58fdjmtkfp9h4c0r4l48rv995w3qhb6"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Apache Fineract: SSRF template type vulnerability in certain authenticated users",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2023-25195",
        "datePublished": "2023-03-28T11:16:28.304Z",
        "dateReserved": "2023-02-06T01:32:05.395Z",
        "dateUpdated": "2024-10-23T15:16:08.717Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-44635 (GCVE-0-2022-44635)

    Vulnerability from cvelistv5 – Published: 2022-11-29 00:00 – Updated: 2025-04-25 14:51
    VLAI
    Title
    Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal
    Summary
    Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: Apache Fineract 1.8 , ≤ 1.8.0 (custom)
    Affected: Apache Fineract 1.7 , ≤ 1.7.0 (custom)
    Create a notification for this product.
    Credits
    We would like to thank Aman Sapra, co-captain of the Super Guesser CTF team & Security researcher at CRED, for reporting this issue, and the Apache Security team for their assistance. We give kudos and karma to @Aleksandar Vidakovic for resolving this CVE.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T13:54:03.993Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/t8q6fmh3o6yqmy69qtqxppk9yg9wfybg"
              },
              {
                "name": "[oss-security] 20221129 CVE-2022-44635: Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/11/29/3"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-44635",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-25T14:50:47.128187Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-25T14:51:14.718Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.8.0",
                  "status": "affected",
                  "version": "Apache Fineract 1.8",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.7.0",
                  "status": "affected",
                  "version": "Apache Fineract 1.7",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "We would like to thank  Aman Sapra, co-captain of the Super Guesser CTF team \u0026 Security researcher at CRED, for reporting this issue, and the Apache Security team for their assistance.  We give kudos and karma to @Aleksandar Vidakovic for resolving this CVE. "
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "other": "important"
                },
                "type": "unknown"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-11-29T00:00:00.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "url": "https://lists.apache.org/thread/t8q6fmh3o6yqmy69qtqxppk9yg9wfybg"
            },
            {
              "name": "[oss-security] 20221129 CVE-2022-44635: Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/11/29/3"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2022-44635",
        "datePublished": "2022-11-29T00:00:00.000Z",
        "dateReserved": "2022-11-02T00:00:00.000Z",
        "dateUpdated": "2025-04-25T14:51:14.718Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-17514 (GCVE-0-2020-17514)

    Vulnerability from cvelistv5 – Published: 2021-05-27 12:10 – Updated: 2024-08-04 14:00
    VLAI
    Title
    disabled hostname verificiation
    Summary
    Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful.
    Severity
    No CVSS data available.
    CWE
    • Missing Hostname Verification
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Fineract Affected: Apache Fineract , < 1.5.0 (custom)
    Create a notification for this product.
    Credits
    We would like to thank Simon Gerst at https://github.com/intrigus-lgtm for reporting this issue
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T14:00:48.549Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://issues.apache.org/jira/browse/FINERACT-1211"
              },
              {
                "name": "[fineract-dev] 20210527 Re: Release 1.5.0 fixed security issue CVE-2020-17514",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc011b25289c8a6e14f8bc6d07e727382a1df3c8cf2aa5369598bbf64%40%3Cdev.fineract.apache.org%3E"
              },
              {
                "name": "[oss-security] 20210527 CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2021/05/27/2"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Fineract",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "1.5.0",
                  "status": "affected",
                  "version": "Apache Fineract",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "We would like to thank Simon Gerst at https://github.com/intrigus-lgtm  for reporting this issue"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Missing Hostname Verification",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-05-27T17:06:10.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://issues.apache.org/jira/browse/FINERACT-1211"
            },
            {
              "name": "[fineract-dev] 20210527 Re: Release 1.5.0 fixed security issue CVE-2020-17514",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rc011b25289c8a6e14f8bc6d07e727382a1df3c8cf2aa5369598bbf64%40%3Cdev.fineract.apache.org%3E"
            },
            {
              "name": "[oss-security] 20210527 CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/05/27/2"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "disabled hostname verificiation",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2020-17514",
              "STATE": "PUBLIC",
              "TITLE": "disabled hostname verificiation"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Fineract",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "Apache Fineract",
                                "version_value": "1.5.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "We would like to thank Simon Gerst at https://github.com/intrigus-lgtm  for reporting this issue"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Missing Hostname Verification"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://issues.apache.org/jira/browse/FINERACT-1211",
                  "refsource": "MISC",
                  "url": "https://issues.apache.org/jira/browse/FINERACT-1211"
                },
                {
                  "name": "[fineract-dev] 20210527 Re: Release 1.5.0 fixed security issue CVE-2020-17514",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rc011b25289c8a6e14f8bc6d07e727382a1df3c8cf2aa5369598bbf64@%3Cdev.fineract.apache.org%3E"
                },
                {
                  "name": "[oss-security] 20210527 CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2021/05/27/2"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2020-17514",
        "datePublished": "2021-05-27T12:10:10.000Z",
        "dateReserved": "2020-08-12T00:00:00.000Z",
        "dateUpdated": "2024-08-04T14:00:48.549Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }