CVE-2018-19276

Published: Mar 21, 2019Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.

Affected (3)

Products: Openmrs: Openmrs

Openmrs

1 product

Openmrs

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Openmrs Openmrs	From 1.12.0 to 1.12.1
Openmrs Openmrs	From 2.0.0 to 2.0.8
Openmrs Openmrs	From 2.1.0 to 2.1.4

Related CWEs

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (10)

http://packetstormsecurity.com/files/151553/OpenMRS-Platform-Insecure-Object-Deserialization.html

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/155691/OpenMRS-Java-Deserialization-Remote-Code-Execution.html

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserialization

Source: cve@mitre.org

Third Party Advisory

https://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/21607

Source: cve@mitre.org

Vendor Advisory

https://www.exploit-db.com/exploits/46327/

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/151553/OpenMRS-Platform-Insecure-Object-Deserialization.html