Apache Fineract Insufficiently Protected Credentials

CRITICAL (9.1) No Patch (1 days)
cwe-522apacheauthentication-bypassfineractinsufficient-credentialsjava

Threat Intelligence

Low Risk
EPSS Score: 0.03% chance of exploitation (percentile: 8%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

Apache Fineract is a Java-based open-source software for financial institutions and other organizations. It provides a platform for managing financial data, transactions, and compliance. The vulnerability in Apache Fineract allows attackers to bypass authentication mechanisms, potentially leading to unauthorized access to sensitive financial information.

Am I affected?

You're affected if you use Insufficiently Protected Credentials vulnerability. Affected versions: 1.11.0

Affected Packages

maven: org.apache.fineract:fineract-core

Affected Products

Apache Software Foundation / Fineract

How to fix

To fix the issue, upgrade to Apache Fineract version 1.12.1 or later. You can download the latest release from the Apache Software Foundation's website: https://fineract.apache.org/downloads.html

Immediate mitigations:

  • Restrict network access to your Fineract instance (firewall it from the public internet)
  • Audit admin account activity for suspicious access patterns
  • Monitor for unauthorized token creation

References