Vulnerabilities > CVE-2020-17514 - Unspecified vulnerability in Apache Fineract

CVSS 7.4 - HIGH

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

NONE

network

high complexity

apache

NVD

Published: 2021-05-27

Updated: 2023-11-07

Summary

Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Fineract 0.1.2 Apache Fineract 0.3.1 Apache Fineract 0.3.2 Apache Fineract 0.4.0 Apache Fineract 0.4.0-Incubating Apache Fineract 0.5.0 Apache Fineract 0.5.0-Incubating Apache Fineract 0.6.0 Apache Fineract 0.6.0-Incubating Apache Fineract 1.0.0 Apache Fineract 1.1.0 Apache Fineract 1.2.0 Apache Fineract 1.3.0 Apache Fineract 1.4.0	17

References

https://issues.apache.org/jira/browse/FINERACT-1211
http://www.openwall.com/lists/oss-security/2021/05/27/2
https://lists.apache.org/thread.html/rc011b25289c8a6e14f8bc6d07e727382a1df3c8cf2aa5369598bbf64%40%3Cdev.fineract.apache.org%3E