Vulnerabilities

6 via 11 paths

Dependencies

32

Source

GitHub

Commit

37fe81e1

Find, fix and prevent vulnerabilities in your code.

Issue type
  • 6
  • 3
Severity
  • 1
  • 3
  • 4
  • 1
Status
  • 9
  • 0
  • 0

critical severity

Remote Code Execution (RCE)

  • Vulnerable module: com.h2database:h2
  • Introduced through: com.h2database:h2@1.4.200 and org.dbunit:dbunit@2.8.0

Detailed paths

  • Introduced through: openmrs/openmrs-core@openmrs/openmrs-core#37fe81e14901fe048ae3d7b8239478e290ff3ad4 com.h2database:h2@1.4.200
    Remediation: Upgrade to com.h2database:h2@2.1.210.
  • Introduced through: openmrs/openmrs-core@openmrs/openmrs-core#37fe81e14901fe048ae3d7b8239478e290ff3ad4 org.dbunit:dbunit@2.8.0 com.h2database:h2@1.4.200
    Remediation: Upgrade to org.dbunit:dbunit@2.8.0.

Overview

com.h2database:h2 is a database engine

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring.

Remediation

Upgrade com.h2database:h2 to version 2.1.210 or higher.

References

high severity

Remote Code Execution (RCE)

  • Vulnerable module: com.h2database:h2
  • Introduced through: com.h2database:h2@1.4.200 and org.dbunit:dbunit@2.8.0

Detailed paths

  • Introduced through: openmrs/openmrs-core@openmrs/openmrs-core#37fe81e14901fe048ae3d7b8239478e290ff3ad4 com.h2database:h2@1.4.200
    Remediation: Upgrade to com.h2database:h2@2.0.206.
  • Introduced through: openmrs/openmrs-core@openmrs/openmrs-core#37fe81e14901fe048ae3d7b8239478e290ff3ad4 org.dbunit:dbunit@2.8.0 com.h2database:h2@1.4.200
    Remediation: Upgrade to org.dbunit:dbunit@2.8.0.

Overview

com.h2database:h2 is a database engine

Affected versions of this package are vulnerable to Remote Code Execution (RCE). H2 Console allows loading of custom classes from remote servers through JNDI. This can lead to code execution

If remote access was enabled explicitly and some protection method (such as security constraint) are not set, an intruder can load their own custom class and execute their code in a process using H2 Console (a H2 Server process or a web server with H2 Console servlet).

Note: It should be noted that H2 Console doesn't accept remote connections by default.

Workarounds

  • H2 Console should never be available to untrusted users.

  • -webAllowOthers is a dangerous setting that should be avoided.

  • H2 Console Servlet deployed on a web server can be protected with a security constraint: https://h2database.com/html/tutorial.html#usingH2ConsoleServlet If webAllowOthers is specified, you need to uncomment and edit and as necessary. See documentation of your web server for more details.

All these workaround are mitigatory and unlikely to prevent all attack vectors, upgrade to a fixed version for full remediation.

Remediation

Upgrade com.h2database:h2 to version 2.0.206 or higher.

References

high severity

XML External Entity (XXE) Injection

  • Vulnerable module: com.h2database:h2
  • Introduced through: com.h2database:h2@1.4.200 and org.dbunit:dbunit@2.8.0

Detailed paths

  • Introduced through: openmrs/openmrs-core@openmrs/openmrs-core#37fe81e14901fe048ae3d7b8239478e290ff3ad4 com.h2database:h2@1.4.200
    Remediation: Upgrade to com.h2database:h2@2.0.202.
  • Introduced through: openmrs/openmrs-core@openmrs/openmrs-core#37fe81e14901fe048ae3d7b8239478e290ff3ad4 org.dbunit:dbunit@2.8.0 com.h2database:h2@1.4.200
    Remediation: Upgrade to org.dbunit:dbunit@2.8.0.

Overview

com.h2database:h2 is a database engine

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

Details

XXE Injection is a type of attack against an application that parses XML input. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.

Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.

For example, below is a sample XML document, containing an XML element- username.

<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
   <username>John</username>
</xml>

An external XML entity - xxe, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of /etc/passwd and display it to the user rendered by username.

<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
   <username>&xxe;</username>
</xml>

Other XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.

Remediation

Upgrade com.h2database:h2 to version 2.0.202 or higher.

References

high severity

Remote Code Execution (RCE)

  • Vulnerable module: com.h2database:h2
  • Introduced through: com.h2database:h2@1.4.200 and org.dbunit:dbunit@2.8.0

Detailed paths

  • Introduced through: openmrs/openmrs-core@openmrs/openmrs-core#37fe81e14901fe048ae3d7b8239478e290ff3ad4 com.h2database:h2@1.4.200
  • Introduced through: openmrs/openmrs-core@openmrs/openmrs-core#37fe81e14901fe048ae3d7b8239478e290ff3ad4 org.dbunit:dbunit@2.8.0 com.h2database:h2@1.4.200

Overview

com.h2database:h2 is a database engine

Affected versions of this package are vulnerable to Remote Code Execution (RCE). It provides a web console for managing the database, and by default it does not have a password set. The CREATE ALIAS function calls Java code, allowing an attacker to execute arbitrary Java code on projects running the h2 database.

NOTE: To be remotely exploitable, the affected application must be configured with the non-default setting webAllowOthers=true, either in a config file or as a parameter passed in when the servlet is invoked. The vulnerability can be avoided by setting a password on the database and/or restricting access to localhost using the above setting.

PoC

CREATE ALIAS REVERSE AS $$ String reverse(String s) { return new StringBuilder(s).reverse().toString(); } $$;
CALL REVERSE('Test');

Remediation

There is no fixed version for com.h2database:h2.

References

medium severity

Information Exposure

  • Vulnerable module: com.h2database:h2
  • Introduced through: com.h2database:h2@1.4.200 and org.dbunit:dbunit@2.8.0

Detailed paths

  • Introduced through: openmrs/openmrs-core@openmrs/openmrs-core#37fe81e14901fe048ae3d7b8239478e290ff3ad4 com.h2database:h2@1.4.200
    Remediation: Upgrade to com.h2database:h2@2.2.220.
  • Introduced through: openmrs/openmrs-core@openmrs/openmrs-core#37fe81e14901fe048ae3d7b8239478e290ff3ad4 org.dbunit:dbunit@2.8.0 com.h2database:h2@1.4.200
    Remediation: Upgrade to org.dbunit:dbunit@2.8.0.

Overview

com.h2database:h2 is a database engine

Affected versions of this package are vulnerable to Information Exposure when H2 web-based admin console was started via the CLI with the argument -webAdminPassword, which allows a local user to specify the password in plaintext for the web admin console. Consequently, a malicious local user or an attacker that has obtained local access through some means would be able to get the password for the H2 web admin console by looking at the running processes.

Vendor Statement: "This is not a vulnerability of the H2 Console, this is an example of how not to use it. I think there is nothing to do with it on the H2 side. Passwords should never be passed on the command line, and every qualified DBA or system administrator is expected to know that."

Remediation

Upgrade com.h2database:h2 to version 2.2.220 or higher.

References

medium severity

Dual license: MPL-2.0, EPL-1.0

  • Module: com.h2database:h2
  • Introduced through: com.h2database:h2@1.4.200 and org.dbunit:dbunit@2.8.0

Detailed paths

  • Introduced through: openmrs/openmrs-core@openmrs/openmrs-core#37fe81e14901fe048ae3d7b8239478e290ff3ad4 com.h2database:h2@1.4.200
  • Introduced through: openmrs/openmrs-core@openmrs/openmrs-core#37fe81e14901fe048ae3d7b8239478e290ff3ad4 org.dbunit:dbunit@2.8.0 com.h2database:h2@1.4.200

Dual license: MPL-2.0, EPL-1.0

medium severity

EPL-1.0 license

  • Module: junit:junit
  • Introduced through: junit:junit@4.13.2, org.junit.vintage:junit-vintage-engine@5.11.3 and others

Detailed paths

  • Introduced through: openmrs/openmrs-core@openmrs/openmrs-core#37fe81e14901fe048ae3d7b8239478e290ff3ad4 junit:junit@4.13.2
  • Introduced through: openmrs/openmrs-core@openmrs/openmrs-core#37fe81e14901fe048ae3d7b8239478e290ff3ad4 org.junit.vintage:junit-vintage-engine@5.11.3 junit:junit@4.13.2
  • Introduced through: openmrs/openmrs-core@openmrs/openmrs-core#37fe81e14901fe048ae3d7b8239478e290ff3ad4 org.powermock:powermock-module-junit4@2.0.9 junit:junit@4.13.2
  • Introduced through: openmrs/openmrs-core@openmrs/openmrs-core#37fe81e14901fe048ae3d7b8239478e290ff3ad4 org.powermock:powermock-module-junit4@2.0.9 org.powermock:powermock-module-junit4-common@2.0.9 junit:junit@4.13.2

EPL-1.0 license

medium severity

LGPL-2.1 license

  • Module: org.dbunit:dbunit
  • Introduced through: org.dbunit:dbunit@2.8.0

Detailed paths

  • Introduced through: openmrs/openmrs-core@openmrs/openmrs-core#37fe81e14901fe048ae3d7b8239478e290ff3ad4 org.dbunit:dbunit@2.8.0

LGPL-2.1 license

low severity

Improper Handling of Case Sensitivity

  • Vulnerable module: org.springframework:spring-core
  • Introduced through: org.springframework:spring-test@5.3.30

Detailed paths

  • Introduced through: openmrs/openmrs-core@openmrs/openmrs-core#37fe81e14901fe048ae3d7b8239478e290ff3ad4 org.springframework:spring-test@5.3.30 org.springframework:spring-core@5.3.30
    Remediation: Upgrade to org.springframework:spring-test@6.1.14.

Overview

org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to String.toLowerCase() having some Locale dependent exceptions that could potentially result in fields not protected as expected.

Note: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive.

Remediation

Upgrade org.springframework:spring-core to version 6.1.14 or higher.

References