Critical Security Advisory: 2020-12-15

OpenMRS Critical Security Advisory

Dear Community,

Please be aware of the following critical security updates available for download from OpenMRS.

Severity: Critical


  • Authenticated users can leverage this vulnerability to execute arbitrary code on the server within the context of the tomcat server process.
  • The exploit code enabling this attack has been made publicly available.

Affected Versions


Anyone running the HTML Form Entry, UI Framework, or Attachment modules (included in the Reference Application) should immediately upgrade to the latest released versions of the modules, which are all available in their pages on the OpenMRS Add-Ons Directory here. Tips for upgrading individual modules in the Reference Application can be found on the wiki here.

This includes anyone running any version of the OpenMRS Reference Application, as well as anyone who has installed the above modules on top of an OpenMRS Platform release. OpenMRS Reference Application versions >=2.8.1 should support the updated modules. The latest RefApp v2.11.0 release includes these updated modules.


We would like to thank Contrast Labs for their discovery of this vulnerability. Special thanks to @ibacher and our Software Security Leader @isears for their direct support in resolving the issues.


For questions, please directly contact and our OpenMRS Security Group will get back to you as soon as we can.


This topic was automatically closed after 60 minutes. New replies are no longer allowed.