Skip to content

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in OpenClinica

Moderate
svadla-oc published GHSA-9rrv-prff-qph7 May 11, 2022

Package

OpenClinica (None)

Affected versions

<3.16

Patched versions

3.13.1, 3.14.1, 3.16.2

Description

Impact

The following vulnerabilities were identified by CodeQL and can be found here:

A summary of the above can be found below.

The following endpoints contain path traversal vulnerabilities.

Arbitrary File Read Vulnerabilities

They allow an attacker to arbitrarily download any file from a system running OpenClinica. This allows an attacker to steal any information/files stored on a system running OpenClinica.

The following endpoints are impacted:

Arbitrary File Write Vulnerabilities

The following allow an attacker to upload any file they wish to any directory they wish on a system running OpenClinica. This can lead to remote code execution in certain environments.

Patches

6f864e8

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?
No

References

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2022-24830

Weaknesses

Credits