GHSA-JJGJ-CX3Q-PW4W

Vulnerability from github – Published: 2026-05-04 17:18 – Updated: 2026-05-08 15:36
VLAI
Summary
OpenMRS ModuleResourcesServlet has Path Traversal that Leads to Arbitrary File Read
Details

Affected Versions

version ≤ 2.7.8 (latest version at time of disclosure)

https://github.com/openmrs/openmrs-core

Impact

The /openmrs/moduleResources/{moduleid} endpoint in OpenMRS Core is vulnerable to a path traversal attack. The ModuleResourcesServlet does not properly validate user-supplied path input, allowing an attacker to traverse directories and read arbitrary files from the server filesystem (e.g., /etc/passwd, application configuration files containing database credentials).

This endpoint serves static module resources (CSS, JS, images) and is not protected by authentication filters, as these resources are required for rendering the login page. Therefore, this vulnerability can be exploited by an unauthenticated attacker.

Note: Successful exploitation requires the target deployment to run on Apache Tomcat < 8.5.31, where the ..; path parameter bypass is not mitigated by the container. Deployments on Tomcat ≥ 8.5.31 / ≥ 9.0.10 are protected at the container level, though the underlying code defect remains.

Steps to Reproduce

  1. Identify a valid installed module ID on the target OpenMRS instance (e.g., legacyui).
  2. Send the following HTTP request:

image

  1. The server responds with HTTP 200 and the contents of /etc/passwd:

image

Root Cause Analysis

The vulnerability exists in ModuleResourcesServlet.java (web/src/main/java/org/openmrs/module/web/ModuleResourcesServlet.java).

The getFile() method constructs a filesystem path from user-controlled input without performing path boundary validation:

protected File getFile(HttpServletRequest request) {
    // Step 1: User-controlled path input
    String path = request.getPathInfo();

    // Step 2: Extract module from path prefix
    Module module = ModuleUtil.getModuleForPath(path);
    if (module == null) { return null; }

    // Step 3: Strip module ID prefix — no traversal check
    String relativePath = ModuleUtil.getPathForResource(module, path);

    // Step 4: Concatenate into absolute path
    String realPath = getServletContext().getRealPath("")
        + MODULE_PATH
        + module.getModuleIdAsPath()
        + "/resources"
        + relativePath;  // contains "/../../../etc/passwd"

    realPath = realPath.replace("/", File.separator);

    // Step 5: No normalize().startsWith() boundary check
    File f = new File(realPath);
    if (!f.exists()) { return null; }

    return f;  // Arbitrary file returned to client
}

The helper method ModuleUtil.getPathForResource() only strips the module ID prefix and performs no sanitization:

public static String getPathForResource(Module module, String path) {
    if (path.startsWith("/")) {
        path = path.substring(1);
    }
    return path.substring(module.getModuleIdAsPath().length());
    // Returns unsanitized remainder, e.g., "/../../../../../../etc/passwd"
}

The resulting path resolves as:

{webapp}/WEB-INF/view/module/legacyui/resources/../../../../../../etc/passwd
  → /etc/passwd

Notably, the same codebase already implements correct path traversal protection in StartupFilter.java:

// StartupFilter.java — correct protection
fullFilePath = fullFilePath.resolve(httpRequest.getPathInfo());
if (!(fullFilePath.normalize().startsWith(filePath))) {
    log.warn("Detected attempted directory traversal...");
    return;  // Request rejected
}

This check is absent from ModuleResourcesServlet.

Remediation

Add a path boundary check after constructing realPath and before returning the File object. The fix should use normalize() + startsWith() to ensure the resolved path stays within the allowed module resources directory:

File f = new File(realPath);
Path allowedBase = Paths.get(getServletContext().getRealPath(""), "WEB-INF", "view", "module");
if (!f.toPath().normalize().startsWith(allowedBase.normalize())) {
    log.warn("Blocked path traversal attempt: {}", request.getPathInfo());
    return null;
}

This is consistent with the existing pattern used in StartupFilter.java and TestInstallUtil.java within the same project.

Severity
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
8.2 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.openmrs.web:openmrs-web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.7.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.8.5"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.openmrs.web:openmrs-web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0"
            },
            {
              "fixed": "2.8.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40075"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T17:18:48Z",
    "nvd_published_at": "2026-05-05T22:16:00Z",
    "severity": "HIGH"
  },
  "details": "## Affected Versions\n\nversion \u2264 2.7.8 (latest version at time of disclosure)\n\nhttps://github.com/openmrs/openmrs-core\n\n## Impact\n\nThe `/openmrs/moduleResources/{moduleid}` endpoint in OpenMRS Core is vulnerable to a path traversal attack. The `ModuleResourcesServlet` does not properly validate user-supplied path input, allowing an attacker to traverse directories and read arbitrary files from the server filesystem (e.g., `/etc/passwd`, application configuration files containing database credentials).\n\nThis endpoint serves static module resources (CSS, JS, images) and is **not protected by authentication filters**, as these resources are required for rendering the login page. Therefore, this vulnerability can be exploited by an **unauthenticated** attacker.\n\n\u003e **Note:** Successful exploitation requires the target deployment to run on **Apache Tomcat \u003c 8.5.31**, where the `..;` path parameter bypass is not mitigated by the container. Deployments on Tomcat \u2265 8.5.31 / \u2265 9.0.10 are protected at the container level, though the underlying code defect remains.\n\u003e \n\n## Steps to Reproduce\n\n1. Identify a valid installed module ID on the target OpenMRS instance (e.g., `legacyui`).\n2. Send the following HTTP request:\n\n\u003cimg width=\"1038\" height=\"798\" alt=\"image\" src=\"https://github.com/user-attachments/assets/7d10ee0e-4d81-4c01-bc84-a1bf5715f170\" /\u003e\n\n3. The server responds with HTTP 200 and the contents of `/etc/passwd`:\n\n\u003cimg width=\"1028\" height=\"843\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b6806a7e-ff52-4f51-8f7f-7ea4e9754d10\" /\u003e\n\n\n## Root Cause Analysis\n\nThe vulnerability exists in `ModuleResourcesServlet.java` (`web/src/main/java/org/openmrs/module/web/ModuleResourcesServlet.java`).\n\nThe `getFile()` method constructs a filesystem path from user-controlled input without performing path boundary validation:\n\n```java\nprotected File getFile(HttpServletRequest request) {\n    // Step 1: User-controlled path input\n    String path = request.getPathInfo();\n\n    // Step 2: Extract module from path prefix\n    Module module = ModuleUtil.getModuleForPath(path);\n    if (module == null) { return null; }\n\n    // Step 3: Strip module ID prefix \u2014 no traversal check\n    String relativePath = ModuleUtil.getPathForResource(module, path);\n\n    // Step 4: Concatenate into absolute path\n    String realPath = getServletContext().getRealPath(\"\")\n        + MODULE_PATH\n        + module.getModuleIdAsPath()\n        + \"/resources\"\n        + relativePath;  // contains \"/../../../etc/passwd\"\n\n    realPath = realPath.replace(\"/\", File.separator);\n\n    // Step 5: No normalize().startsWith() boundary check\n    File f = new File(realPath);\n    if (!f.exists()) { return null; }\n\n    return f;  // Arbitrary file returned to client\n}\n```\n\nThe helper method `ModuleUtil.getPathForResource()` only strips the module ID prefix and performs no sanitization:\n\n```java\npublic static String getPathForResource(Module module, String path) {\n    if (path.startsWith(\"/\")) {\n        path = path.substring(1);\n    }\n    return path.substring(module.getModuleIdAsPath().length());\n    // Returns unsanitized remainder, e.g., \"/../../../../../../etc/passwd\"\n}\n```\n\nThe resulting path resolves as:\n\n```\n{webapp}/WEB-INF/view/module/legacyui/resources/../../../../../../etc/passwd\n  \u2192 /etc/passwd\n```\n\nNotably, the same codebase already implements correct path traversal protection in `StartupFilter.java`:\n\n```java\n// StartupFilter.java \u2014 correct protection\nfullFilePath = fullFilePath.resolve(httpRequest.getPathInfo());\nif (!(fullFilePath.normalize().startsWith(filePath))) {\n    log.warn(\"Detected attempted directory traversal...\");\n    return;  // Request rejected\n}\n```\n\nThis check is absent from `ModuleResourcesServlet`.\n\n## Remediation\n\nAdd a path boundary check after constructing `realPath` and before returning the `File` object. The fix should use `normalize()` + `startsWith()` to ensure the resolved path stays within the allowed module resources directory:\n\n```java\nFile f = new File(realPath);\nPath allowedBase = Paths.get(getServletContext().getRealPath(\"\"), \"WEB-INF\", \"view\", \"module\");\nif (!f.toPath().normalize().startsWith(allowedBase.normalize())) {\n    log.warn(\"Blocked path traversal attempt: {}\", request.getPathInfo());\n    return null;\n}\n```\n\nThis is consistent with the existing pattern used in `StartupFilter.java` and `TestInstallUtil.java` within the same project.",
  "id": "GHSA-jjgj-cx3q-pw4w",
  "modified": "2026-05-08T15:36:10Z",
  "published": "2026-05-04T17:18:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openmrs/openmrs-core/security/advisories/GHSA-jjgj-cx3q-pw4w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40075"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openmrs/openmrs-core"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenMRS ModuleResourcesServlet has Path Traversal that Leads to Arbitrary File Read"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.