CVE-2022-44635 - How a File Upload Bug in Apache Fineract Could Let Hackers Run Code Remotely

In November 2022, a nasty vulnerability was found in the open-source financial app Apache Fineract. If you’re using version 1.8. or below, you’re at risk. The bug (CVE-2022-44635) lets attackers with login access upload files in a sneaky way, leading to Remote Code Execution (RCE) on the server. The Apache team quickly fixed things in version 1.8.1, but if you haven’t patched, you could be in serious trouble.

Let’s dive into what went wrong, how an attack looks, and what you can do to stay safe.

What is Apache Fineract?

Apache Fineract is an open-source core banking platform used by financial institutions around the world, especially in digital finance and microfinance. Its file upload feature lets authenticated users add files – like loan documents. But this feature didn’t check file paths well enough, opening a dangerous loophole.

Path Traversal Leads to Remote Code Execution

The main issue is “path traversal,” meaning a user can upload files to any folder on the server – not just the safe ones. With clever tricks, an attacker can place files wherever they want, potentially overwriting important files or dropping a web shell.

Here’s a simplified look at the vulnerable code (in Java)

// This code (simplified) processes uploaded files
String fileName = request.getParameter("fileName"); // provided by the user
String uploadPath = "/var/data/uploads/" + fileName;

// Writes the uploaded file to disk (!)
try (FileOutputStream out = new FileOutputStream(uploadPath)) {
    out.write(fileBytes);
}

The fileName comes straight from the user, unchecked.

- If an attacker submits ../../../tomcat/webapps/ROOT/shell.jsp as the filename, the Java code puts the file outside the intended folder.

Step-by-Step Exploit Scenario

1. Login: First, the attacker needs to log in as a regular user. This isn’t a public exploit, but any employee/intern with an account can abuse it.
2. Craft Malicious File: The attacker creates a “web shell” file such as shell.jsp, which can run OS commands sent to it via HTTP.
3. Upload Dangerous File: By using directory traversal tricks in the filename (../../../webapps/ROOT/shell.jsp), the attacker uploads the shell directly into the server’s web root.
4. Execute Code: Now, by browsing to http://fineract-server/shell.jsp?cmd=whoami, the attacker can run any commands remotely—as the Fineract server user.

Example malicious request (using curl)

curl -X POST -F "file=@shell.jsp" \
     -F "fileName=../../../webapps/ROOT/shell.jsp" \
     -u user:password \
     http://<fineract-server>/fineract-provider/api/v1/documents

Note: You must change the file path and endpoint to match your server.

Then, access:  
http://<fineract-server>:808/shell.jsp?cmd=ls

Original References

- Apache Security Advisory
- NVD Entry
- Fineract JIRA Ticket FINERACT-1437

Patch and Mitigation

The Apache Fineract team fixed this in version 1.8.1, adding checks to sanitize and validate file paths. They also limited file uploads to only safe directories, blocking directory traversal.

Update to 1.8.1 or later ASAP.

- Make sure your file upload component validates filenames, e.g., by stripping ../, checking for bad extensions, and restricting where uploads land.

Conclusion

If you use Apache Fineract version 1.8. or older, CVE-2022-44635 could let anyone with a login run code on your server. This isn’t just a theoretical threat—a real attacker could use it to take over your bank platform, steal data, or spread ransomware. Upgrade immediately, and watch your logs for strange upload behavior.

Stay safe! And always keep your open-source software up to date.


*This writeup is exclusive and built in simple American English for accessibility. For more, see the original advisories listed above.*

Timeline

Published on: 11/29/2022 15:15:00 UTC
Last modified on: 12/01/2022 21:24:00 UTC