CVE-2018-19276

CVE Database · CVE-2018-19276

CVE-2018-19276

· CRITICALModified

CVSS v3.1

9.8

EPSS

98.81%

Published

Mar 21, 2019

Modified

Nov 21, 2024

Public PoC / Exploit (4)

All weaponized →

Exploit-DBOpenMRS Platform < 2.24.0 - Insecure Object Deserialization Exploit-DBOpenMRS - Java Deserialization RCE (Metasploit)NucleiNuclei detection template TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-502

Affected Products (3)

openmrs · openmrs (up to 1.12.1)vulnerable

openmrs · openmrs (up to 2.0.8)vulnerable

openmrs · openmrs (up to 2.1.4)vulnerable

References (10)

http://packetstormsecurity.com/files/151553/OpenMRS-Platform-Insecure-Object-Deserialization.html

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/155691/OpenMRS-Java-Deserialization-Remote-Code-Execution.html

Third Party AdvisoryVDB Entry

https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserialization

Third Party Advisory

https://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/21607

Vendor Advisory

https://www.exploit-db.com/exploits/46327/

ExploitThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs