CVE-2017-5663

CWE-89SQL Injection3 documents3 sources
Severity
8.8HIGH
EPSS
0.2%
top 58.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache FineractApache Fineract
Timeline
PublishedDec 14
Latest updateMay 14

Description

In Apache Fineract 0.4.0-incubating, 0.5.0-incubating, and 0.6.0-incubating, an authenticated user with client/loan/center/staff/group read permissions is able to inject malicious SQL into SELECT queries. The 'sqlSearch' parameter on a number of endpoints is not sanitized and appended directly to the query.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDapache/fineract0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating+2
CVEListV5apache_software_foundation/apache_fineract0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating+2

🔴Vulnerability Details

2
GHSA
GHSA-432p-g7rx-g388: In Apache Fineract 02022-05-14
CVEList
CVE-2017-5663: In Apache Fineract 02017-12-14
CVE-2017-5663 (HIGH CVSS 8.8) | In Apache Fineract 0.4.0-incubating | cvebase.io