OpenMRS Security Notice: Path Traversal Vulnerability CVE-2022-23612
Dear Implementers,
Please be aware of the following security vulnerability. Thank you to security researcher Jonathan Leitschuh who discovered the issue, and to @ibacher and @dkayiwa for working on the patch and updated releases.
- Severity: Medium
- CVE: CVE-2022-23612
- GitHub Advisory: here
Affected Versions
- OpenMRS Platform: v1.6+
Vulnerability
- The issue can result in an unauthenticated user accessing files that are not intended to be accessed via the web (e.g. contents of configuration files or the contents of the database file if the database is running locally).
- We have also published a GitHub Advisory in openmrs-core security advisories.
Recommendations
All implementers should update to the latest minor release of the platform as soon as is practical.
As a general rule, this vulnerability is already mitigated by Tomcat’s URL normalization in Tomcat 7.0.28+. Implementers on older versions of Tomcat should consider upgrading their Tomcat instance as well as their OpenMRS instance.
The following versions contain the patch:
For questions or concerns, you can reply to this thread or connect directly with the OpenMRS Security Group at security@openmrs.org.