Community - The fix was released last week at patch 1.7.1 and 1.8.1. It is recommended that all users update to the latest version of Fineract.
Members of the community have tested the approach (and code fixes) for other versions. They can chime in here, and I will be placing additional information on the wiki at https://cwiki.apache.org/confluence/display/FINERACT/Fineract+Project+Security+Report <https://cwiki.apache.org/confluence/display/FINERACT/Fineract+Project+Security+Report> This also tested our patch process, which was positive. Thanks James James Dailey On Tue, Nov 29, 2022 at 6:22 AM Arnout Engelen <[email protected]> wrote: > Severity: important > > Description: > > Apache Fineract allowed an authenticated user to perform remote code > execution due to a path traversal vulnerability in a file upload component > of Apache Fineract, allowing an attacker to run remote code. This issue > affects Apache Fineract version 1.8.0 and prior versions. We recommend > users to upgrade to 1.8.1. > > Credit: > > We would like to thank Aman Sapra, co-captain of the Super Guesser CTF > team & Security researcher at CRED, for reporting this issue, and the > Apache Security team for their assistance. We give kudos and karma to > @Aleksandar Vidakovic for resolving this CVE. > >
