Headline

CVE-2022-24831

OpenClinica is an open source software for Electronic Data Capture (EDC) and Clinical Data Management (CDM). Versions prior to 3.16.1 are vulnerable to SQL injection due to the use of string concatenation to create SQL queries instead of prepared statements. No known workarounds exist. This issue has been patched in 3.16.1, 3.15.9, 3.14.1, and 3.13.1 and users are advised to upgrade.

2 years ago

CVE

Open in Source

#sql #vulnerability #js #java #auth

Patched versions

3.13.1, 3.14.1, 3.16.2

Impact

SQL Injection.

The following locations are vulnerable to SQL injection due to the use of string concatenation to create SQL queries instead of prepared statements.

These vulnerabilities were uncovered and reported by a CodeQL Query from LGTM.com. The below query shows the specific dataflow paths and string concatenations creating the conditions for this vulnerability to exist.

https://lgtm.com/projects/g/OpenClinica/OpenClinica/alerts/?mode=list&tag=security&id=java%2Fsql-injection

A summary of the vulnerabilities can be found below:

ps = con.prepareStatement(query);
- Vulnerable parameters: formVersionOID; Endpoints:
  - /rest/auth/api/v1/clinicaldata/json/view/{studyOID}/{studySubjectIdentifier}/{studyEventOID}/{formVersionOID}
  - /rest/clinicaldata/json/view/{studyOID}/{studySubjectIdentifier}/{studyEventOID}/{formVersionOID}
  - /rest/clinicaldata/xml/view/{studyOID}/{studySubjectIdentifier}/{studyEventOID}/{formVersionOID}
  - /rest/metadata/xml/view/{studyOID}/{studyEventDefinitionOId}/{formVersionOID}
  - /rest/metadata/json/view/{studyOID}/{studyEventDefinitionOId}/{formVersionOID}
Vulnerable POST parameters for endpoint: rest/auth/api/itemdata: ssOid, sedOid, eventOrdinal, crfOid in the following locations:
- org.hibernate.Query q = getCurrentSession().createQuery(query);
- org.hibernate.Query q = getCurrentSession().createQuery(query);
- org.hibernate.Query q = getCurrentSession().createQuery(query);