Cyber Resilience

CVE-2024-32838

Critical

Published: 12 February 2025

Published
12 February 2025
Modified
04 March 2025
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0015 35.4th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-32838 is a critical-severity SQL Injection (CWE-89) vulnerability in Apache Fineract. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-32838 is a SQL injection vulnerability (CWE-89) affecting Apache Fineract versions 1.9 and earlier. The flaw exists in various REST API endpoints, including those for offices, dashboards, and others, where query parameters fail to properly sanitize input, allowing injection of malicious data. Published on 2025-02-12, it has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables arbitrary SQL query manipulation, potentially leading to high confidentiality, integrity, and availability impacts, such as data exfiltration, modification, or denial of service on the underlying database.

The Apache security advisory recommends upgrading to Apache Fineract version 1.10.1, which addresses the issue by implementing a SQL Validator. This validator applies configurable tests and checks to SQL queries, protecting against nearly all potential SQL injection attacks. Additional details are available in the official Apache mailing list announcement and OSS-Security posting.

EU & UK References

Vulnerability details

SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints' query parameter. Users are…

more

recommended to upgrade to version 1.10.1, which fixes this issue. A SQL Validator has been implemented which allows us to configure a series of tests and checks against our SQL queries that will allow us to validate and protect against nearly all potential SQL injection attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in public REST API endpoints directly enables exploitation of a public-facing application for arbitrary query execution and DB impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-58130Same product: Apache Fineract
CVE-2024-53678Same vendor: Apache
CVE-2026-40473Same vendor: Apache
CVE-2025-66236Same vendor: Apache
CVE-2025-54466Same vendor: Apache
CVE-2025-61622Same vendor: Apache
CVE-2024-54676Same vendor: Apache
CVE-2026-23918Same vendor: Apache
CVE-2026-41409Same vendor: Apache
CVE-2026-41084Same vendor: Apache

Affected Assets

apache
fineract
1.4.0 — 1.10.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of query parameters in vulnerable REST API endpoints to block SQL injection attempts.

prevent

Mandates timely flaw remediation, such as upgrading to Apache Fineract 1.10.1 with its SQL Validator fix.

detect

Facilitates vulnerability scanning to identify SQL injection flaws in API endpoints prior to exploitation.

References