CVE-2024-32838
Published: 12 February 2025
Description
SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints' query parameter. Users are recommended to upgrade to version 1.10.1, which fixes this issue. A SQL Validator has been implemented which allows us to configure a series of tests and checks against our SQL queries that will allow us to validate and protect against nearly all potential SQL injection attacks.
Security Summary
CVE-2024-32838 is a SQL injection vulnerability (CWE-89) affecting Apache Fineract versions 1.9 and earlier. The flaw exists in various REST API endpoints, including those for offices, dashboards, and others, where query parameters fail to properly sanitize input, allowing injection of malicious data. Published on 2025-02-12, it has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables arbitrary SQL query manipulation, potentially leading to high confidentiality, integrity, and availability impacts, such as data exfiltration, modification, or denial of service on the underlying database.
The Apache security advisory recommends upgrading to Apache Fineract version 1.10.1, which addresses the issue by implementing a SQL Validator. This validator applies configurable tests and checks to SQL queries, protecting against nearly all potential SQL injection attacks. Additional details are available in the official Apache mailing list announcement and OSS-Security posting.
Details
- CWE(s)