{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T05:49:00.775","vulnerabilities":[{"cve":{"id":"CVE-2022-23612","sourceIdentifier":"security-advisories@github.com","published":"2022-02-22T23:15:11.400","lastModified":"2024-11-21T06:48:55.907","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"OpenMRS is a patient-based medical record system focusing on giving providers a free customizable electronic medical record system. Affected versions are subject to arbitrary file exfiltration due to failure to sanitize request when satisfying GET requests for `/images` & `/initfilter/scripts`. This can allow an attacker to access any file on a system running OpenMRS that is accessible to the user id OpenMRS is running under. Affected implementations should update to the latest patch version of OpenMRS Core for the minor version they use. These are: 2.1.5, 2.2.1, 2.3.5, 2.4.5 and 2.5.3. As a general rule, this vulnerability is already mitigated by Tomcat's URL normalization in Tomcat 7.0.28+. Users on older versions of Tomcat should consider upgrading their Tomcat instance as well as their OpenMRS instance."},{"lang":"es","value":"OpenMRS es un sistema de registro médico basado en el paciente que se centra en ofrecer a los proveedores un sistema de registro médico electrónico gratuito y personalizable. Las versiones afectadas están sujetas a la exfiltración arbitraria de archivos debido a un fallo en el saneo de la petición cuando son satisfechas peticiones GET para \"/images\" & \"/initfilter/scripts\". Esto puede permitir a un atacante acceder a cualquier archivo en un sistema que ejecute OpenMRS que sea accesible para el ID de usuario con el que es ejecutado OpenMRS. Las implementaciones afectadas deben actualizar a la última versión del parche de OpenMRS Core para la versión menor que usan. Estas son: 2.1.5, 2.2.1, 2.3.5, 2.4.5 y 2.5.3. Como regla general, esta vulnerabilidad ya está mitigada por la normalización de URL de Tomcat en Tomcat versión 7.0.28+. Los usuarios de versiones anteriores de Tomcat deberían considerar la posibilidad de actualizar su instancia de Tomcat, así como su instancia de OpenMRS"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","baseScore":5.0,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":10.0,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openmrs:openmrs:*:*:*:*:*:*:*:*","versionStartIncluding":"1.6","versionEndExcluding":"2.1.5","matchCriteriaId":"CC9D911E-1D03-4348-A3E8-42EF336C3CB1"},{"vulnerable":true,"criteria":"cpe:2.3:a:openmrs:openmrs:*:*:*:*:*:*:*:*","versionStartIncluding":"2.2.0","versionEndExcluding":"2.2.1","matchCriteriaId":"AB9FD95F-109C-46B6-9997-1467E85C2EA9"},{"vulnerable":true,"criteria":"cpe:2.3:a:openmrs:openmrs:*:*:*:*:*:*:*:*","versionStartIncluding":"2.3.0","versionEndExcluding":"2.3.5","matchCriteriaId":"3CDFE507-8377-4B9E-A91E-4EAEB3893CAD"},{"vulnerable":true,"criteria":"cpe:2.3:a:openmrs:openmrs:*:*:*:*:*:*:*:*","versionStartIncluding":"2.4.0","versionEndExcluding":"2.4.5","matchCriteriaId":"DE611740-A309-4E76-BFE2-A18978D9C50A"},{"vulnerable":true,"criteria":"cpe:2.3:a:openmrs:openmrs:*:*:*:*:*:*:*:*","versionStartIncluding":"2.5.0","versionEndExcluding":"2.5.3","matchCriteriaId":"E69117E5-4694-44D3-8DC4-AE189857C002"}]}]}],"references":[{"url":"https://github.com/openmrs/openmrs-core/blob/ee3373a7a775bfdfa263e2e912c72e64342fb4f0/web/src/main/java/org/openmrs/web/filter/StartupFilter.java#L123","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/openmrs/openmrs-core/commit/db8454bf19a092a78d53ee4dba2af628b730a6e7#diff-7c64d9f61d4d4e2ddba92920d7cf63ec96091b308d43904956b3846bc0c26d80R128","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/openmrs/openmrs-core/security/advisories/GHSA-8rgr-ww69-jv65","source":"security-advisories@github.com","tags":["Exploit","Patch","Third Party Advisory"]},{"url":"https://lgtm.com/projects/g/openmrs/openmrs-core/snapshot/fb1335c925ca4c94be5a546707b90d2c1efa4dcc/files/web/src/main/java/org/openmrs/web/filter/StartupFilter.java#L123","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/openmrs/openmrs-core/blob/ee3373a7a775bfdfa263e2e912c72e64342fb4f0/web/src/main/java/org/openmrs/web/filter/StartupFilter.java#L123","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/openmrs/openmrs-core/commit/db8454bf19a092a78d53ee4dba2af628b730a6e7#diff-7c64d9f61d4d4e2ddba92920d7cf63ec96091b308d43904956b3846bc0c26d80R128","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/openmrs/openmrs-core/security/advisories/GHSA-8rgr-ww69-jv65","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Patch","Third Party Advisory"]},{"url":"https://lgtm.com/projects/g/openmrs/openmrs-core/snapshot/fb1335c925ca4c94be5a546707b90d2c1efa4dcc/files/web/src/main/java/org/openmrs/web/filter/StartupFilter.java#L123","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]}]}}]}