CVE-2022-44635: Apache Fineract Remote Code Execution

The Apache Fineract project patched the high-severity security vulnerability in Apache Fineract that, if left unaddressed, could be exploited to gain remote code execution (RCE) on affected installations.

Apache Fineract is open-source software for financial services. Apache Fineract mission is to build, maintain and enhance a cloud-ready core banking system for robust, scalable, and secure operations of financial institutions. Fineract provides a reliable, robust, and affordable solution for entrepreneurs, financial institutions, and service providers.

Tracked as CVE-2022-44635, the flaw is described as a path traversal vulnerability in a file upload component. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system including application source code or configuration and critical system files.

“Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code,” the developers wrote.

CVE-2022-44635 affects Fineract version 1.8.0 and prior versions. Sapra co-captain of the Super Guesser CTF team & Security researcher at CRED has been credited for this security vulnerability.

Apache Fineract users are encouraged to upgrade to versions 1.7.1 or 1.8.1 to avoid possible exploitation.