CVE-2018-19276

high-risk
Published 2019-03-21

OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.

Do I need to act?

!
93.3% chance of exploitation in next 30 days
EPSS score — higher than 7% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
2 public exploits available
46327, 47792
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Openmrs

Affected Vendors

Openmrs

References (10)

Exploit http://packetstormsecurity.com/files/151553/OpenMRS-Platform-Insecure-Object-Des...
Third Party Advisory http://packetstormsecurity.com/files/155691/OpenMRS-Java-Deserialization-Remote-...
Third Party Advisory https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deser...
Vendor Advisory https://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/...
Exploit https://www.exploit-db.com/exploits/46327/
Exploit http://packetstormsecurity.com/files/151553/OpenMRS-Platform-Insecure-Object-Des...
Third Party Advisory http://packetstormsecurity.com/files/155691/OpenMRS-Java-Deserialization-Remote-...
Third Party Advisory https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deser...
Vendor Advisory https://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/...
Exploit https://www.exploit-db.com/exploits/46327/
64
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 27/34 · High
Exposure 5/34 · Minimal