A few days ago we have been informed about a security vulnerability in the
Nominatim API. Today we have released updates for all affected Nominatim
Today we have released new versions 3.4.2, 3.3.1 and 3.2.1 of Nominatim.
If you have your own installation of Nominatim, you should update as soon
What is the problem?
The /details endpoint fails to properly sanitize user input and uses it
as is in an SQL query. This allows an attacker to inject arbitrary SQL
code including querying and updating the database.
Which versions are affected?
The code was added to Nominatim in April 2018. All releases since 3.2
are affected. The bug has been fixed in 3.4.2, 3.3.1 and 3.2.1.
How is my installation affected?
If you have followed the standard installation instructions, then the
/details endpoint is available by default. The standard installation also
adds a special user for the webserver which has only minimal read rights
on the database. If you have not changed the rights, then the vulnerability
can only be used to query the database.
How should I fix it?
If you don't need the details API, then you can simply delete the file
`website/details.php` to remove the endpoint. Otherwise, you should install
the appropriate update for your version. No changes to the database are
necessary. Simply download and build the new version, copy over your
`settings/local.php` file and point your webserver to the new version.
A big thank you to @bladeswords for finding and reporting this.