CVE-2022-23612

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-23612

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23612.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-23612

Aliases

GHSA-8rgr-ww69-jv65

Published

2022-02-22T22:55:12Z

Modified

2025-11-28T03:32:02.376565Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Directory Traversal in OpenMRS Startup Filter

Details

OpenMRS is a patient-based medical record system focusing on giving providers a free customizable electronic medical record system. Affected versions are subject to arbitrary file exfiltration due to failure to sanitize request when satisfying GET requests for /images & /initfilter/scripts. This can allow an attacker to access any file on a system running OpenMRS that is accessible to the user id OpenMRS is running under. Affected implementations should update to the latest patch version of OpenMRS Core for the minor version they use. These are: 2.1.5, 2.2.1, 2.3.5, 2.4.5 and 2.5.3. As a general rule, this vulnerability is already mitigated by Tomcat's URL normalization in Tomcat 7.0.28+. Users on older versions of Tomcat should consider upgrading their Tomcat instance as well as their OpenMRS instance.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23612.json",
    "cwe_ids": [
        "CWE-22"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/openmrs/openmrs-core

Affected ranges

Type

GIT

Repo

https://github.com/openmrs/openmrs-core

Events

Introduced

c30abac844a7e2ea9b265fa5a5af64aacaf49b41

Fixed

45d081d8767c38f78761a8788a51513707f40e42

Database specific

{
    "versions": [
        {
            "introduced": "1.6"
        },
        {
            "fixed": "2.1.5"
        }
    ]
}

Type

GIT

Repo

https://github.com/openmrs/openmrs-core

Events

Introduced

ab94ff41fd52f8a7d3d2b9d2d9ef9af1af30ea8c

Fixed

2ba5fa808910ab7f0eaa01618059468d630e221e

Database specific

{
    "versions": [
        {
            "introduced": "2.2.0"
        },
        {
            "fixed": "2.2.1"
        }
    ]
}

Type

GIT

Repo

https://github.com/openmrs/openmrs-core

Events

Introduced

b3ade079a48a83aa9556b58fb19d9f89f02a27c4

Fixed

91d2a4bfc801ae7e89587d7c331b217ccedf573f

Database specific

{
    "versions": [
        {
            "introduced": "2.3.0"
        },
        {
            "fixed": "2.3.5"
        }
    ]
}

Type

GIT

Repo

https://github.com/openmrs/openmrs-core

Events

Introduced

e4adbdc434a20ecf53094fe081d16038de3d0bd2

Fixed

3357821689b5cb20ae92ac70a671eb747c9ad8a3

Database specific

{
    "versions": [
        {
            "introduced": "2.4.0"
        },
        {
            "fixed": "2.4.5"
        }
    ]
}

Type

GIT

Repo

https://github.com/openmrs/openmrs-core

Events

Introduced

157c43b986317c315f6acd55c8e845a388c2b896

Fixed

55c30af348d3e1026e0a4dcfd7e5c3ea16c826fd

Database specific

{
    "versions": [
        {
            "introduced": "2.5.0"
        },
        {
            "fixed": "2.5.3"
        }
    ]
}

Affected versions

2.*

2.2.0

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.5.0

2.5.1