{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/openmrs-web/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Tomcat","OpenMRS Core","openmrs-web"],"_cs_severities":["high"],"_cs_tags":["path-traversal","information-disclosure","openmrs"],"_cs_type":"advisory","_cs_vendors":["Apache","OpenMRS"],"content_html":"\u003cp\u003eOpenMRS Core, a widely used open-source medical record system, is vulnerable to a path traversal attack via the \u003ccode\u003eModuleResourcesServlet\u003c/code\u003e. This flaw affects versions up to 2.7.8 and versions 2.8.0 through 2.8.5. An unauthenticated attacker can exploit this vulnerability by crafting a malicious URL to read arbitrary files from the server\u0026rsquo;s filesystem. The vulnerability exists because the \u003ccode\u003eModuleResourcesServlet\u003c/code\u003e component fails to properly validate user-supplied path input when serving static module resources. This vulnerability is particularly critical because the affected endpoint is not protected by authentication filters, and successful exploitation depends on running Apache Tomcat versions before 8.5.31 or prior to 9.0.10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable OpenMRS instance running on a susceptible Tomcat version.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a valid module ID installed on the target OpenMRS instance (e.g., \u003ccode\u003elegacyui\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request to the \u003ccode\u003e/openmrs/moduleResources/{moduleid}\u003c/code\u003e endpoint containing a path traversal sequence (e.g., \u003ccode\u003e..;\u003c/code\u003e) within the URL. The request attempts to access a sensitive file, such as \u003ccode\u003e/etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eModuleResourcesServlet\u003c/code\u003e receives the request and extracts the path information without proper validation.\u003c/li\u003e\n\u003cli\u003eThe application constructs a file path by concatenating the web application root, module path, module ID, \u0026ldquo;resources,\u0026rdquo; and the attacker-supplied path.\u003c/li\u003e\n\u003cli\u003eDue to missing path sanitization and normalization, the resulting file path points to the attacker-specified file outside the intended resources directory.\u003c/li\u003e\n\u003cli\u003eThe server reads the content of the arbitrary file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server returns the file content in the HTTP response to the attacker, resulting in information disclosure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to read arbitrary files on the OpenMRS server. This can lead to the exposure of sensitive information, including system configuration files containing database credentials, potentially compromising the entire application and patient data. The number of affected deployments is unknown, but any OpenMRS instance running vulnerable versions on older Tomcat installations is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenMRS Core to a patched version beyond 2.8.5 to address CVE-2026-40075.\u003c/li\u003e\n\u003cli\u003eAs a short-term mitigation, upgrade Apache Tomcat to version 8.5.31 or later, or 9.0.10 or later, to leverage container-level path traversal protection.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect exploitation attempts against the vulnerable \u003ccode\u003eModuleResourcesServlet\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious URL patterns containing path traversal sequences (\u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..;\u003c/code\u003e, \u003ccode\u003e%2e%2e%2f\u003c/code\u003e) targeting the \u003ccode\u003e/openmrs/moduleResources/\u003c/code\u003e path.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-openmrs-path-traversal/","summary":"OpenMRS Core versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, contain a path traversal vulnerability in the ModuleResourcesServlet, allowing an unauthenticated attacker to read arbitrary files from the server filesystem by manipulating the URL.","title":"OpenMRS ModuleResourcesServlet Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-openmrs-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Openmrs-Web","version":"https://jsonfeed.org/version/1.1"}