Vulnerability Details : CVE-2018-19276
Public exploit exists!
OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.
Products affected by CVE-2018-19276
- cpe:2.3:a:openmrs:openmrs:*:*:*:*:*:*:*:*
- cpe:2.3:a:openmrs:openmrs:*:*:*:*:*:*:*:*
- cpe:2.3:a:openmrs:openmrs:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-19276
95.67%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2018-19276
-
OpenMRS Java Deserialization RCE
Disclosure Date: 2019-02-04First seen: 2020-04-26exploit/multi/http/openmrs_deserializationOpenMRS is an open-source platform that supplies users with a customizable medical record system. There exists an object deserialization vulnerability in the `webservices.rest` module used in OpenMRS Platform. Unauthenticated remote code execution can be ach
CVSS scores for CVE-2018-19276
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
10.0
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
3.9
|
6.0
|
MITRE | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2018-19276
-
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-19276
-
https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserialization
OpenMRS - Insecure Object DeserializationThird Party Advisory
-
https://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/21607
Critical Security Advisory CVE-2018-19276: 2019-02-04 - Community / Announcements - OpenMRS TalkVendor Advisory
-
http://packetstormsecurity.com/files/155691/OpenMRS-Java-Deserialization-Remote-Code-Execution.html
OpenMRS Java Deserialization Remote Code Execution ≈ Packet StormThird Party Advisory;VDB Entry
-
https://www.exploit-db.com/exploits/46327/
OpenMRS Platform < 2.24.0 - Insecure Object DeserializationExploit;VDB Entry;Third Party Advisory
-
http://packetstormsecurity.com/files/151553/OpenMRS-Platform-Insecure-Object-Deserialization.html
OpenMRS Platform Insecure Object Deserialization ≈ Packet StormExploit;Third Party Advisory;VDB Entry
Jump to