CVE-2017-12796 - OpenCVE

The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute operating system commands by crafting malicious XML payloads, as demonstrated by a single admin/reports/reportSchemaXml.form request.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Openmrs	Openmrs

Configuration 1 [-]

cpe:2.3:a:openmrs:openmrs:*:*:*:*:*:*:*:*

References

Link	Resource
https://isears.github.io/jekyll/update/2017/10/21/openmrs-rce.html	Exploit
https://talk.openmrs.org/t/critical-security-advisory-2017-09-12/13291	Vendor Advisory
https://wiki.openmrs.org/display/RES/Release+Notes+2.6.1	Release Notes Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-10-23T04:00:00

Updated: 2017-10-23T03:57:01

Reserved: 2017-08-10T00:00:00

Link: CVE-2017-12796

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-10-23T04:29:00.210

Modified: 2017-11-21T16:26:50.230

Link: CVE-2017-12796

JSON object: View

Redhat Information

No data.

CWE

CWE-502

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-10-22T00:00:00", "descriptions": [{"lang": "en", "value": "The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute operating system commands by crafting malicious XML payloads, as demonstrated by a single admin/reports/reportSchemaXml.form request."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-10-23T03:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://talk.openmrs.org/t/critical-security-advisory-2017-09-12/13291"}, {"tags": ["x_refsource_MISC"], "url": "https://wiki.openmrs.org/display/RES/Release+Notes+2.6.1"}, {"tags": ["x_refsource_MISC"], "url": "https://isears.github.io/jekyll/update/2017/10/21/openmrs-rce.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-12796", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute operating system commands by crafting malicious XML payloads, as demonstrated by a single admin/reports/reportSchemaXml.form request."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://talk.openmrs.org/t/critical-security-advisory-2017-09-12/13291", "refsource": "MISC", "url": "https://talk.openmrs.org/t/critical-security-advisory-2017-09-12/13291"}, {"name": "https://wiki.openmrs.org/display/RES/Release+Notes+2.6.1", "refsource": "MISC", "url": "https://wiki.openmrs.org/display/RES/Release+Notes+2.6.1"}, {"name": "https://isears.github.io/jekyll/update/2017/10/21/openmrs-rce.html", "refsource": "MISC", "url": "https://isears.github.io/jekyll/update/2017/10/21/openmrs-rce.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-12796", "datePublished": "2017-10-23T04:00:00", "dateReserved": "2017-08-10T00:00:00", "dateUpdated": "2017-10-23T03:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openmrs:openmrs:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC2390B4-BFC2-454E-8A9C-705E364A507D", "versionEndExcluding": "2.6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute operating system commands by crafting malicious XML payloads, as demonstrated by a single admin/reports/reportSchemaXml.form request."}, {"lang": "es", "value": "Reporting Compatibility Add On en versiones anteriores a la 2.0.4 para OpenMRS, tal y como se distribuye en OpenMRS Reference Application en versiones anteriores a la 2.6.1, no autentica usuarios cuando deserializa entradas XML en objetos ReportSchema. El resultado es que usuarios remotos no autenticados pueden ejecutar comandos del sistema operativo manipulando cargas \u00fatiles XML maliciosas, tal y como demuestra una \u00fanica petici\u00f3n admin/reports/reportSchemaXml.form."}], "id": "CVE-2017-12796", "lastModified": "2017-11-21T16:26:50.230", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-10-23T04:29:00.210", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://isears.github.io/jekyll/update/2017/10/21/openmrs-rce.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://talk.openmrs.org/t/critical-security-advisory-2017-09-12/13291"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://wiki.openmrs.org/display/RES/Release+Notes+2.6.1"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}