cnvd - cnvd-2023-23557

CNVD-2023-23557

Vulnerability from cnvd - Published: 2023-04-03

Title

Apache Fineract SQL注入漏洞（CNVD-2023-23557）

Description

Apache Fineract是美国阿帕奇（Apache）基金会的一套开源数字金融服务平台。该平台能够为用户提供数据管理、贷款和储蓄投资组合管理以及实时财务数据等功能。 Apache Fineract 1.4到1.8.3版本存在SQL注入漏洞，该漏洞源于系统使用的特殊元素不当中和，攻击者利用该漏洞导致SQL注入攻击。

Severity

中

Patch Name

Apache Fineract SQL注入漏洞（CNVD-2023-23557）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/v0q9x86sx6f6l2nzr1z0nwm3y9qlng04

Reference

https://nvd.nist.gov/vuln/detail/CVE-2023-25197

Impacted products

Name
Apache Fineract >=1.4，<=1.8.3

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-25197",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-25197"
    }
  },
  "description": "Apache Fineract\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u5f00\u6e90\u6570\u5b57\u91d1\u878d\u670d\u52a1\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u80fd\u591f\u4e3a\u7528\u6237\u63d0\u4f9b\u6570\u636e\u7ba1\u7406\u3001\u8d37\u6b3e\u548c\u50a8\u84c4\u6295\u8d44\u7ec4\u5408\u7ba1\u7406\u4ee5\u53ca\u5b9e\u65f6\u8d22\u52a1\u6570\u636e\u7b49\u529f\u80fd\u3002\n\nApache Fineract 1.4\u52301.8.3\u7248\u672c\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7cfb\u7edf\u4f7f\u7528\u7684\u7279\u6b8a\u5143\u7d20\u4e0d\u5f53\u4e2d\u548c\uff0c\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4SQL\u6ce8\u5165\u653b\u51fb\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/v0q9x86sx6f6l2nzr1z0nwm3y9qlng04",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-23557",
  "openTime": "2023-04-03",
  "patchDescription": "Apache Fineract\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u5f00\u6e90\u6570\u5b57\u91d1\u878d\u670d\u52a1\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u80fd\u591f\u4e3a\u7528\u6237\u63d0\u4f9b\u6570\u636e\u7ba1\u7406\u3001\u8d37\u6b3e\u548c\u50a8\u84c4\u6295\u8d44\u7ec4\u5408\u7ba1\u7406\u4ee5\u53ca\u5b9e\u65f6\u8d22\u52a1\u6570\u636e\u7b49\u529f\u80fd\u3002\r\n\r\nApache Fineract 1.4\u52301.8.3\u7248\u672c\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7cfb\u7edf\u4f7f\u7528\u7684\u7279\u6b8a\u5143\u7d20\u4e0d\u5f53\u4e2d\u548c\uff0c\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4SQL\u6ce8\u5165\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Fineract SQL\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2023-23557\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Fineract \u003e=1.4\uff0c\u003c=1.8.3"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2023-25197",
  "serverity": "\u4e2d",
  "submitTime": "2023-03-30",
  "title": "Apache Fineract SQL\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2023-23557\uff09"
}

CVE-2023-25197 (GCVE-0-2023-25197)

Vulnerability from cvelistv5 – Published: 2023-03-28 11:17 – Updated: 2024-10-23 15:14

Title

apache fineract: SQL injection vulnerability in certain procedure calls

Summary

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation apache fineract. Authorized users may be able to exploit this for limited impact on components. This issue affects apache fineract: from 1.4 through 1.8.2.

Severity ?

No CVSS data available.

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/v0q9x86sx6f6l2nzr…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	apache fineract	Affected: 1.4 , ≤ 1.8.2 (semver)

Credits

Eugene Lim at Cyber Security Group (CSG) Government Technology Agency GOVTECH.sg aleks@apache.org

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:18:36.121Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/v0q9x86sx6f6l2nzr1z0nwm3y9qlng04"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-25197",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-23T15:14:09.196104Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-23T15:14:18.730Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "apache fineract",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.8.2",
              "status": "affected",
              "version": "1.4",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Eugene Lim at Cyber Security Group (CSG) Government Technology Agency GOVTECH.sg"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "aleks@apache.org"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation apache fineract.\u003cbr\u003e\u003cp\u003eAuthorized users may be able to exploit this for limited impact on components. \u0026nbsp;\u003c/p\u003e\u003cp\u003eThis issue affects apache fineract: from 1.4 through 1.8.2.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation apache fineract.\nAuthorized users may be able to exploit this for limited impact on components. \u00a0\n\nThis issue affects apache fineract: from 1.4 through 1.8.2.\n\n"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-03-28T11:17:19.026Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/v0q9x86sx6f6l2nzr1z0nwm3y9qlng04"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "apache fineract: SQL injection vulnerability in certain procedure calls ",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2023-25197",
    "datePublished": "2023-03-28T11:17:19.026Z",
    "dateReserved": "2023-02-06T01:33:31.192Z",
    "dateUpdated": "2024-10-23T15:14:18.730Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2023-23557

CVE-2023-25197 (GCVE-0-2023-25197)

Tags

Sightings

Nomenclature