Bahmni-LITE v-1.0.0 Known Vulnerabilities

Image

Vulnerability

Library

Description

How it would affect

comments

Affected Area

Mitigation

Image

Vulnerability

Library

Description

How it would affect

comments

Affected Area

Mitigation

1

bahmniindiadistro/openmrs

CVE-2022-0839

org.liquibase:liquibase-core

Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0.

The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Impacted is confidentiality, integrity, and availability

Present in base openmrs image

Needs an upgrade of org.liquibase:liquibase-core library from version 4.4.3 to 4.8.0

A flaw was found in Liquiibase's XMLChangeLogSAXParser() function. It uses SAXParser with no FEATURE_SECURE_PROCESSING set, which could possibly allow XML External Entity (XXE) attacks

Present in only oracle database

It would be an issue only if a web application that accepts XML input from a user and processes it using an XML parser.

2

bahmniindiadistro/openmrs

CVE-2022-21724

org.postgresql:postgresql

pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes

The system using the postgresql library will be attacked when attacker control the jdbc url or properties

Present in base openmrs image. Bahmni is not using prostgress provided with openmrs.

Needs an upgrade of org.postgresql:postgresql library from version 42.2.24 to 42.3.3

The system using the postgresql library will be attacked when attacker control the jdbc url or properties.

Present in only postgres Database

We don't have jdbc url configured for postgres as part of openmrs conatiner, as we are on mysql db

3

bahmniindiadistro/openmrs

CVE-2022-26520

org.postgresql:postgresql

This flaw allows an attacker to use a method to write arbitrary files through the connection properties settings

an attacker can create an executable file under the server the application is running and make it a new part of the application or server.

Present in base openmrs image.Bahmni is not using prostgress provided with openmrs.

Needs an upgrade of org.postgresql:postgresql library from version 42.2.24 to 42.3.3

This flaw allows an attacker to use a method to write arbitrary files through the connection properties settings. For example, an attacker can create an executable file under the server the application is running and make it a new part of the application or server.

Present in postgres database

We don't have jdbc url configured for postgres as part of openmrs conatiner, as we are on mysql db

4

bahmniindiadistro/openmrs

CVE-2022-22965

org.springframework:spring-beans

A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, (transitively affected from Spring Beans), using parameter data binding.

This flaw allows an attacker to pass specially-constructed malicious requests to certain parameters and possibly gain access to normally-restricted functionality within the Java Virtual Machine.

Present in base openmrs image.

Needs an upgrade of library org.springframework:spring-beans from version 5.2.14.RELEASE to 5.3.18

IBM Cloud Pak System is affected by a remote code execution in Spring Framework (CVE-2022-22965 and CVE-2020-5421)

Mitigation workaround can be to implement applications, via setting disallowed fields on the data binder, and denying various iterations of the string "class.*"

5

bahmniindiadistro/openmrs

CVE-2022-22965

org.springframework:spring-webmvc

It is a flaw found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, (transitively affected from Spring Beans), using parameter data binding.

This flaw allows an attacker to pass specially-constructed malicious requests to certain parameters and possibly gain access to normally-restricted functionality within the Java Virtual Machine.

Present in base openmrs image.

Needs an upgrade of library org.springframework:spring-beans from version 5.2.14.RELEASE to 5.3.18

IBM Cloud Pak System is affected by a remote code execution in Spring Framework (CVE-2022-22965 and CVE-2020-5421)

Mitigation workaround can be to implement applications, via setting disallowed fields on the data binder, and denying various iterations of the string "class.*"

6

bahmni/reports
bahmni/crater-atomfeed
bahmniindiadistro/openmrs

CVE-2016-1000027

org.springframework:spring-web

potential remote code execution (RCE) issue if used for Java deserialization of untrusted data.

Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required

It requires org.springframework:spring-beans to be upgraded to version 6.0.0

This vulnerability makes it possible to exploit deserialization of untrusted data, ultimately leading to Remote Code Execution (RCE). The root cause is the readRemoteInvocation method within the HttpInvokerServiceExporter. class does not sufficiently restrict or verify untrusted objects prior to deserializing them.

The recommended remediation is to ensure there are no HTTP Invoker endpoints exposed to untrusted clients

7

bahmni/crater-php

CVE-2023-23924

dompdf/dompdf

The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper

An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available

still undergoing analysis
It requires dompdf/dompdf to be upgraded from version v1.2.2 to 2.0.2

 

 

8

bahmniindiadistro/openmrs

CVE-2019-10202

org.codehaus.jackson:jackson-mapper-asl

incomplete fix for unsafe deserialization in jackson-databind vulnerabilities

An attacker could exploit this vulnerability to execute arbitrary code remotely, take control of our system, steal sensitive data, or launch a denial-of-service (DoS) attack.

Requires a version upgrade in openmrs-core

 

 

The Bahmni documentation is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)