Devs - Today we are announcing that release 1.9.0 fixed a few reported CVEs. Those should be showing up here on the listserv shortly. Version 1.8.4 and prior were not fixed and likely contain these vulnerabilities. We are circumspect in how we describe them - you can dig further via the PRs and the related tickets.
The CVEs are also documented here: https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report With Yash Sancheti helping, we created a How to Secure Fineract page. Additional best practices should be shared there or on list to ensure that all instances of Fineract are kept secure. https://cwiki.apache.org/confluence/display/FINERACT/Securing+Fineract <https://cwiki.apache.org/confluence/display/FINERACT/Securing+Fineract> I would encourage everyone to review their security practices. Fineract should not simply be downloaded and run in production environments without taking into account attack vectors and proper security. There are vendors available to help with this. Report vulnerabilities and exploits to Security AT fineract.apache.org Thank you James PMC Fineract
