CVE-2017-12796

moderate-risk
Published 2017-10-23

The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute operating system commands by crafting malicious XML payloads, as demonstrated by a single admin/reports/reportSchemaXml.form request.

Do I need to act?

~
5.7% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 0b8ae6299f65159fe7d9b06a6c679834378d31b8
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Openmrs

Affected Vendors

Openmrs

References (6)

Exploit https://isears.github.io/jekyll/update/2017/10/21/openmrs-rce.html
Vendor Advisory https://talk.openmrs.org/t/critical-security-advisory-2017-09-12/13291
Release Notes https://wiki.openmrs.org/display/RES/Release+Notes+2.6.1
Exploit https://isears.github.io/jekyll/update/2017/10/21/openmrs-rce.html
Vendor Advisory https://talk.openmrs.org/t/critical-security-advisory-2017-09-12/13291
Release Notes https://wiki.openmrs.org/display/RES/Release+Notes+2.6.1
46
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 9/34 · Low
Exposure 5/34 · Minimal