Bahmni-LITE v-1.0.0 Known Vulnerabilities
- Umair Fayaz
- Gurpreet Luthra
Image | Vulnerability | Library | Description | How it would affect | comments | Affected Area | Mitigation | |
|---|---|---|---|---|---|---|---|---|
| 1 | bahmniindiadistro/openmrs | CVE-2022-0839 | org.liquibase:liquibase-core | Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0. | The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Impacted is confidentiality, integrity, and availability | Present in base openmrs image Needs an upgrade of org.liquibase:liquibase-core library from version 4.4.3 to 4.8.0 | A flaw was found in Liquiibase's XMLChangeLogSAXParser() function. It uses SAXParser with no FEATURE_SECURE_PROCESSING set, which could possibly allow XML External Entity (XXE) attacks Present in only oracle database | It would be an issue only if a web application that accepts XML input from a user and processes it using an XML parser. |
| 2 | bahmniindiadistro/openmrs | CVE-2022-21724 | org.postgresql:postgresql | pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes | The system using the postgresql library will be attacked when attacker control the jdbc url or properties | Present in base openmrs image. Bahmni is not using prostgress provided with openmrs. Needs an upgrade of org.postgresql:postgresql library from version 42.2.24 to 42.3.3 | The system using the postgresql library will be attacked when attacker control the jdbc url or properties. Present in only postgres Database | We don't have jdbc url configured for postgres as part of openmrs conatiner, as we are on mysql db |
| 3 | bahmniindiadistro/openmrs | CVE-2022-26520 | org.postgresql:postgresql | This flaw allows an attacker to use a method to write arbitrary files through the connection properties settings | an attacker can create an executable file under the server the application is running and make it a new part of the application or server. | Present in base openmrs image.Bahmni is not using prostgress provided with openmrs. Needs an upgrade of org.postgresql:postgresql library from version 42.2.24 to 42.3.3 | This flaw allows an attacker to use a method to write arbitrary files through the connection properties settings. For example, an attacker can create an executable file under the server the application is running and make it a new part of the application or server. Present in postgres database | We don't have jdbc url configured for postgres as part of openmrs conatiner, as we are on mysql db |
| 4 | bahmniindiadistro/openmrs | CVE-2022-22965 | org.springframework:spring-beans | A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, (transitively affected from Spring Beans), using parameter data binding. | This flaw allows an attacker to pass specially-constructed malicious requests to certain parameters and possibly gain access to normally-restricted functionality within the Java Virtual Machine. | Present in base openmrs image. Needs an upgrade of library org.springframework:spring-beans from version 5.2.14.RELEASE to 5.3.18 | IBM Cloud Pak System is affected by a remote code execution in Spring Framework (CVE-2022-22965 and CVE-2020-5421) | Mitigation workaround can be to implement applications, via setting disallowed fields on the data binder, and denying various iterations of the string "class.*" |
| 5 | bahmniindiadistro/openmrs | CVE-2022-22965 | org.springframework:spring-webmvc | It is a flaw found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, (transitively affected from Spring Beans), using parameter data binding. | This flaw allows an attacker to pass specially-constructed malicious requests to certain parameters and possibly gain access to normally-restricted functionality within the Java Virtual Machine. | Present in base openmrs image. Needs an upgrade of library org.springframework:spring-beans from version 5.2.14.RELEASE to 5.3.18 | IBM Cloud Pak System is affected by a remote code execution in Spring Framework (CVE-2022-22965 and CVE-2020-5421) | Mitigation workaround can be to implement applications, via setting disallowed fields on the data binder, and denying various iterations of the string "class.*" |
| 6 | bahmni/reports | CVE-2016-1000027 | org.springframework:spring-web | potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. | Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required | It requires org.springframework:spring-beans to be upgraded to version 6.0.0 | This vulnerability makes it possible to exploit deserialization of untrusted data, ultimately leading to Remote Code Execution (RCE). The root cause is the readRemoteInvocation method within the HttpInvokerServiceExporter. class does not sufficiently restrict or verify untrusted objects prior to deserializing them. | The recommended remediation is to ensure there are no HTTP Invoker endpoints exposed to untrusted clients |
| 7 | bahmni/crater-php | CVE-2023-23924 | dompdf/dompdf | The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper | An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available | still undergoing analysis |
|
|
| 8 | bahmniindiadistro/openmrs | CVE-2019-10202 | org.codehaus.jackson:jackson-mapper-asl | incomplete fix for unsafe deserialization in jackson-databind vulnerabilities | An attacker could exploit this vulnerability to execute arbitrary code remotely, take control of our system, steal sensitive data, or launch a denial-of-service (DoS) attack. | Requires a version upgrade in openmrs-core |
|
|
The Bahmni documentation is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)