CVE-2022-23612

Name of the Vulnerable Software and Affected Versions OpenMRS versions prior to 2.1.5 OpenMRS versions prior to 2.2.1 OpenMRS versions prior to 2.3.5 OpenMRS versions prior to 2.4.5 OpenMRS versions prior to 2.5.3

Description The issue affects OpenMRS, a patient-based medical record system, due to a failure to sanitize requests for GET requests to /images and /initfilter/scripts. This allows an attacker to access any file on the system that is accessible to the user ID OpenMRS is running under. The vulnerability can be exploited through arbitrary file exfiltration.

Recommendations For OpenMRS version prior to 2.1.5, update to version 2.1.5. For OpenMRS version prior to 2.2.1, update to version 2.2.1. For OpenMRS version prior to 2.3.5, update to version 2.3.5. For OpenMRS version prior to 2.4.5, update to version 2.4.5. For OpenMRS version prior to 2.5.3, update to version 2.5.3. As a temporary workaround, consider restricting access to the /images and /initfilter/scripts API endpoints until the issue is resolved. Users on older versions of Tomcat should consider upgrading their Tomcat instance to at least version 7.0.28 to mitigate the risk.