CVE-2018-19276 — CRITICAL (9.8)

Q: How severe is CVE-2018-19276?

CVE-2018-19276 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2018-19276?

Check the references section above for vendor advisories and patch information. Affected products include: Openmrs Openmrs.

Vulnerability Description

OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Openmrs	Openmrs	>= 1.12.0, < 1.12.1

Related Weaknesses (CWE)

CWE-502

References

http://packetstormsecurity.com/files/151553/OpenMRS-Platform-Insecure-Object-DesExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/155691/OpenMRS-Java-Deserialization-Remote-Third Party AdvisoryVDB Entry
https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserThird Party Advisory
https://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/Vendor Advisory
https://www.exploit-db.com/exploits/46327/ExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/151553/OpenMRS-Platform-Insecure-Object-DesExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/155691/OpenMRS-Java-Deserialization-Remote-Third Party AdvisoryVDB Entry
https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserThird Party Advisory
https://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/Vendor Advisory
https://www.exploit-db.com/exploits/46327/ExploitThird Party AdvisoryVDB Entry

FAQ

What is CVE-2018-19276?

CVE-2018-19276 is a vulnerability with a CVSS score of 9.8 (CRITICAL). OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a...

How severe is CVE-2018-19276?

CVE-2018-19276 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2018-19276?

Check the references section above for vendor advisories and patch information. Affected products include: Openmrs Openmrs.