GHSA-wq49-6h5f-gc65
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Network REST endpoint (AV:N/AC:L), requires a low-priv office-view account (PR:L), blind read yields C:H with no write path (I:N), and connection-pool exhaustion gives A:H.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
6Description PRE-NVD
AnalysisAI
SQL injection in Apache Fineract's Office Search API (GET /api/v1/offices) in all versions up to and including 1.14.0 lets an authenticated user who holds the office-view permission inject arbitrary SQL through the orderBy request parameter. Because it bypasses the ColumnValidator hardening added for CVE-2024-32838, an attacker can run time-based blind SQL injection to exfiltrate database contents and, by launching concurrent injections that hold connections open, exhaust the database connection pool to cause denial of service. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated Fineract account holding the permission to view offices (CVSS PR:L), and requests must target the Office Search API endpoint GET /api/v1/offices supplying a crafted orderBy parameter; the injected payload must be a bare subquery in the ORDER BY position, which evades the ColumnValidator control from the CVE-2024-32838 fix. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H, base 8.1) is internally consistent with the description: a network-reachable REST endpoint, low complexity, a low-privilege authenticated account (PR:L, matching the 'authenticated user with permission to view offices' precondition), no user interaction, high confidentiality impact from blind data exfiltration, and high availability impact from connection-pool exhaustion. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privileged Fineract account that can view offices calls GET /api/v1/offices with an orderBy value carrying a bare subquery, then measures response timing to blind-extract sensitive rows (e.g., user or client financial data) one condition at a time. Because AC:L and PR:L, exploitation is straightforward for any authorized user; firing many such requests in parallel holds database connections open for the full query duration and starves the pool, degrading or denying service for everyone else. … |
| Remediation | Upstream fix available (PR/commit) via https://github.com/apache/fineract/pull/6048; a released patched version is not independently confirmed from the provided data, so upgrade to the first tagged Fineract release that incorporates PR #6048 (the vendor recommends upgrading to a version containing the fix - monitor https://fineract.apache.org/ and the Apache threads at https://lists.apache.org/thread/lb7zwdv7qntzy6z05gzf7m8mxw9cbgsj and https://lists.apache.org/thread/rj5vwh3z2xcvsf0rqwj8kokpbrxkhq4n for the exact version). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: enumerate all Fineract deployments and their versions, audit which users hold office-view permissions, and enable detailed query logging for the Office Search API endpoint. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44605