CVE-2022-23612 — HIGH (7.5)

Q: How severe is CVE-2022-23612?

CVE-2022-23612 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-23612?

Check the references section above for vendor advisories and patch information. Affected products include: Openmrs Openmrs.

Vulnerability Description

OpenMRS is a patient-based medical record system focusing on giving providers a free customizable electronic medical record system. Affected versions are subject to arbitrary file exfiltration due to failure to sanitize request when satisfying GET requests for `/images` & `/initfilter/scripts`. This can allow an attacker to access any file on a system running OpenMRS that is accessible to the user id OpenMRS is running under. Affected implementations should update to the latest patch version of OpenMRS Core for the minor version they use. These are: 2.1.5, 2.2.1, 2.3.5, 2.4.5 and 2.5.3. As a general rule, this vulnerability is already mitigated by Tomcat's URL normalization in Tomcat 7.0.28+. Users on older versions of Tomcat should consider upgrading their Tomcat instance as well as their OpenMRS instance.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Openmrs	Openmrs	>= 1.6, < 2.1.5

Related Weaknesses (CWE)

CWE-22

References

https://github.com/openmrs/openmrs-core/blob/ee3373a7a775bfdfa263e2e912c72e64342PatchThird Party Advisory
https://github.com/openmrs/openmrs-core/commit/db8454bf19a092a78d53ee4dba2af628bPatchThird Party Advisory
https://github.com/openmrs/openmrs-core/security/advisories/GHSA-8rgr-ww69-jv65ExploitPatchThird Party Advisory
https://lgtm.com/projects/g/openmrs/openmrs-core/snapshot/fb1335c925ca4c94be5a54PatchThird Party Advisory
https://github.com/openmrs/openmrs-core/blob/ee3373a7a775bfdfa263e2e912c72e64342PatchThird Party Advisory
https://github.com/openmrs/openmrs-core/commit/db8454bf19a092a78d53ee4dba2af628bPatchThird Party Advisory
https://github.com/openmrs/openmrs-core/security/advisories/GHSA-8rgr-ww69-jv65ExploitPatchThird Party Advisory
https://lgtm.com/projects/g/openmrs/openmrs-core/snapshot/fb1335c925ca4c94be5a54PatchThird Party Advisory

FAQ

What is CVE-2022-23612?

CVE-2022-23612 is a vulnerability with a CVSS score of 7.5 (HIGH). OpenMRS is a patient-based medical record system focusing on giving providers a free customizable electronic medical record system. Affected versions are subject to arbitrary file exfiltration due to ...

How severe is CVE-2022-23612?

CVE-2022-23612 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-23612?

Check the references section above for vendor advisories and patch information. Affected products include: Openmrs Openmrs.