[TRUNK-6043] Blind time-based SQL injection vulnerability - OpenMRS Issues

XML

Word

Printable

Details

Type: Bug
Status: Ready for Work
Priority: TBD
Resolution: Unresolved
Affects Version/s: Core 2.4.0, Platform 2.4.0, Reference Application 2.11.0
Fix Version/s: None
Component/s: security
Labels:
- security

Complexity:
Medium
Development:

Description

There is a blind time-based SQL injection attack in OpenMRS. Details were shared with security@openmrs.org on Monday, October 25, 2021 @ 10:37 AM ET/US; I was requested to create a Jira ticket. For full details of the vulnerability and a proof of concept exploit, see my email. Details will not be disclosed here until the issue is patched as it appears to lead to patient data exposure.

Gliffy Diagrams

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Mark Rudnitsky

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2021-10-29 20:00:51 GMT

Updated:: 2021-11-02 21:52:32 GMT