CVE-2018-17891

Name of the Vulnerable Software and Affected Versions Carestream Vue RIS versions 11.2 and prior

Description The issue is related to information leakage in error messages. When a user contacts a Carestream server without an Oracle TNS listener available, an HTTP 500 error is triggered, potentially leaking technical information that could be used to initiate a more elaborate attack. This could allow a remote attacker to gain unauthorized access to protected information.

Recommendations For Carestream Vue RIS versions 11.2 and prior, consider restricting access to the server until a fix is available, and ensure proper configuration of the Oracle TNS listener to prevent information leakage. As a temporary workaround, restrict access to the server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.