OpenEMR up to 6.x Outside Expected Data Manager data access from outside expected data manager component
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.1 | $0-$5k | 0.00 |
Summary
A vulnerability classified as critical has been found in OpenEMR up to 6.x. This affects an unknown part of the component Outside Expected Data Manager. The manipulation leads to data access from outside expected data manager component. This vulnerability is uniquely identified as CVE-2022-2493. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component. If you want to get best quality of vulnerability data, you may have to visit VulDB.
Details
A vulnerability was found in OpenEMR up to 6.x (Business Process Management Software). It has been rated as critical. Affected by this issue is an unknown function of the component Outside Expected Data Manager. The manipulation with an unknown input leads to a data access from outside expected data manager component vulnerability. Using CWE to declare the problem leads to CWE-1083. The product is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component. Impacted is confidentiality, integrity, and availability. CVE summarizes:
Data Access from Outside Expected Data Manager Component in GitHub repository openemr/openemr prior to 7.0.0.
The weakness was presented 07/22/2022. The advisory is shared for download at huntr.dev. This vulnerability is handled as CVE-2022-2493 since 07/20/2022. There are neither technical details nor an exploit publicly available.
Upgrading to version 7.0.0 eliminates this vulnerability. Applying the patch 871ae5198d8ca18fd17257ae7c5c906a52dca908 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Product
Type
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.3VulDB Meta Temp Score: 7.1
VulDB Base Score: 6.3
VulDB Temp Score: 6.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
CNA Base Score: 8.3
CNA Vector (huntr.dev): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Data access from outside expected data manager componentCWE: CWE-1083
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: OpenEMR 7.0.0
Patch: 871ae5198d8ca18fd17257ae7c5c906a52dca908
Timeline
07/20/2022 🔍07/22/2022 🔍
07/22/2022 🔍
08/20/2022 🔍
Sources
Advisory: 871ae5198d8ca18fd17257ae7c5c906a52dca908Status: Confirmed
CVE: CVE-2022-2493 (🔍)
GCVE (CVE): GCVE-0-2022-2493
GCVE (VulDB): GCVE-100-204848
Entry
Created: 07/22/2022 09:00 AMUpdated: 08/20/2022 07:49 AM
Changes: 07/22/2022 09:00 AM (51), 08/20/2022 07:49 AM (1)
Complete: 🔍
Cache ID: 18:65A:40
No comments yet. Languages: en.
Please log in to comment.