CVE-2024-32838

High

Published: 12 February 2025

Published

12 February 2025

Modified

04 March 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-32838 is a high-severity SQL Injection (CWE-89) vulnerability in Apache Fineract. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 35.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of query parameters in vulnerable REST API endpoints to block SQL injection attempts.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation, such as upgrading to Apache Fineract 1.10.1 with its SQL Validator fix.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Facilitates vulnerability scanning to identify SQL injection flaws in API endpoints prior to exploitation.

NVD Description

SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints' query parameter. Users are…

recommended to upgrade to version 1.10.1, which fixes this issue. A SQL Validator has been implemented which allows us to configure a series of tests and checks against our SQL queries that will allow us to validate and protect against nearly all potential SQL injection attacks.

Deeper analysisAI

CVE-2024-32838 is a SQL injection vulnerability (CWE-89) affecting Apache Fineract versions 1.9 and earlier. The flaw exists in various REST API endpoints, including those for offices, dashboards, and others, where query parameters fail to properly sanitize input, allowing injection of malicious data. Published on 2025-02-12, it has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables arbitrary SQL query manipulation, potentially leading to high confidentiality, integrity, and availability impacts, such as data exfiltration, modification, or denial of service on the underlying database.

The Apache security advisory recommends upgrading to Apache Fineract version 1.10.1, which addresses the issue by implementing a SQL Validator. This validator applies configurable tests and checks to SQL queries, protecting against nearly all potential SQL injection attacks. Additional details are available in the official Apache mailing list announcement and OSS-Security posting.

Details

CWE(s): CWE-89

Affected Products

apache

fineract

1.4.0 — 1.10.1

CVEs Like This One

CVE-2025-58130Same product: Apache Fineract

CVE-2024-53678Same vendor: Apache

CVE-2024-43166Same vendor: Apache

CVE-2025-24783Same vendor: Apache

CVE-2026-24343Same vendor: Apache

CVE-2026-34481Same vendor: Apache

CVE-2025-54550Same vendor: Apache

CVE-2025-23015Same vendor: Apache

CVE-2026-41044Same vendor: Apache

CVE-2024-52577Same vendor: Apache

References

https://lists.apache.org/thread/7l88h17pn9nf8zpx5bbojk7ko5oxo1dy
Mailing List, Vendor Advisory · security@apache.org
http://www.openwall.com/lists/oss-security/2025/02/12/1
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108