CIVIEXT-SA-2019-01: Multiple Security Issues in APIv4

Published
2019-05-15 08:00
Written by

To be affected APIv4 must be installed not just exist on the filesytem.

The latest release of APIv4 addresses 2 vulnerabilities:

  • Privilege escalation via leaked key: APIv4 exposed API keys in a way which could be used for privilege escalation. The is a corollary to CIVI-SA-2017-02 which previously affected APIv3, and the solution is similar.
  • SQL injection via join: The join notation was not suitably validated and allowed arbitrary SQL conditions. This has been resolved by tightening the validation.
Security Risk
Critical
Vulnerability
Access Bypass
SQL Injection
Affected Versions

APIv4 versions 4.4.0 and earlier

Fixed Versions

APIv4 versions 4.4.1 and 4.3.1

Solutions

CiviCRM includes a copy of the APIv4 extension. For many users, this means that a core upgrade will automatically include an APIv4 upgrade. However... if you have manually installed or upgraded the APIv4 extension, then your manual version will take precedence, and you should manually upgrade it now.

Specifically, ONE of the following upgrades would be a solution:

  • Upgrade to CiviCRM 5.13.4+; this version includes APIv4 version 4.4.1+
  • Upgrade to CiviCRM 5.7.6+; this version includes APIv4 version 4.3.1+
  • Manually upgrade the APIv4 extensions to 4.3.1+ or 4.4.1+.

If you wish to verify that the upgrade has worked, check "Administer => System Settings => Extensions" and note the version of APIv4.

Credits

Patrick Figel of Greenpeace Central And Eastern Europe and Seamus Lee of Australian Greens for reporting the issues

Coleman Watts of CiviCRM for fixing the issues

References

security/core#54

security/core#55