### Key Information #### Vulnerability Description - **Vulnerability Type**: Remote Code Execution (RCE) via path traversal and arbitrary file write - **Affected Area**: In the workflow for importing CRF data, through the `multipart` upload parameter `xml_file` #### Affected Products and Versions - **OpenClinica Community Edition** - 3.13 (Changeset: 74f4df3481b6, 2017-02-28) - 3.12.2 (Changeset: 347dcfca3d17, OpenClinica VM Image, 2016-11-21) #### Vulnerability Analysis - **Authentication**: Verified (tested with Data Manager and Clinical Research Coordinator roles) - **Summary**: The upload handler trusts the client-provided `filename` and accepts `../` traversal, allowing file writes outside the target directory. Attackers can write a JSP file and request it to achieve code execution. - **Impact**: - Arbitrary file write on the host - Remote code execution within the servlet container context - Complete compromise of confidentiality, integrity, and availability #### Severity - **CVSS v3.1**: 8.8 (High) - **CWE**: 22 (Path Traversal), 434 (Unrestricted File Upload) #### Mitigation - Do not use client-provided `filename` to build paths; instead, save files to a fixed, non-web-accessible directory with server-generated names. - Reject `../`, path separators, and absolute paths. Enforce a content type/extension allowlist and validate XML on the server side. - Run Tomcat/OpenClinica as a non-privileged user; make the web root unwritable; disable JSP execution if not required. #### Timeline - 2025-10-09: Discovered and reproduced in versions 3.12.2 and 3.13 - 2025-10-09: Attempted contact with vendor, no response - 2025-10-23: Reported to VulDB