Security Risk: 
Critical
Vulnerability: 
Access Bypass
SQL Injection
Affected Versions: 

APIv4 versions 4.4.0 and earlier

Fixed Versions: 

APIv4 versions 4.4.1 and 4.3.1

Publication Date: 
Wednesday, May 15, 2019
Description: 

To be affected APIv4 must be installed not just exist on the filesytem.

The latest release of APIv4 addresses 2 vulnerabilities:

  • Privilege escalation via leaked key: APIv4 exposed API keys in a way which could be used for privilege escalation. The is a corollary to CIVI-SA-2017-02 which previously affected APIv3, and the solution is similar.
  • SQL injection via join: The join notation was not suitably validated and allowed arbitrary SQL conditions. This has been resolved by tightening the validation.
Solutions: 

CiviCRM includes a copy of the APIv4 extension. For many users, this means that a core upgrade will automatically include an APIv4 upgrade. However... if you have manually installed or upgraded the APIv4 extension, then your manual version will take precedence, and you should manually upgrade it now.

Specifically, ONE of the following upgrades would be a solution:

  • Upgrade to CiviCRM 5.13.4+; this version includes APIv4 version 4.4.1+
  • Upgrade to CiviCRM 5.7.6+; this version includes APIv4 version 4.3.1+
  • Manually upgrade the APIv4 extensions to 4.3.1+ or 4.4.1+.

If you wish to verify that the upgrade has worked, check "Administer => System Settings => Extensions" and note the version of APIv4.

Credits: 

Patrick Figel of Greenpeace Central And Eastern Europe and Seamus Lee of Australian Greens for reporting the issues

Coleman Watts of CiviCRM for fixing the issues

References: 

security/core#54

security/core#55