### Critical Vulnerability Information #### Vulnerability Type - **RCE (Remote Code Execution)** - **Path Traversal** - **Arbitrary File Write** #### Affected Products and Versions - **OpenClinica Community Edition** - 3.13 (Changeset: 74f4df3481b6, 2017-02-28) - 3.12.2 (Changeset: 347dcfca3d17, 2016-11-21) (OpenClinica VM Image) #### Affected Area - **Tasks → Import CRF Data** - Multipart upload parameter: `xml_file` #### Authorization - **Authenticated** (tested with Data Administrator and Clinical Research Coordinator roles) #### Summary - The upload handler trusts client-provided filenames and accepts `../` traversal, allowing file writes outside the intended directory. By targeting the deployed webapp path, attackers can write JSP files and achieve execution upon request. #### Impact - Arbitrary file write on the host - Remote code execution in servlet container context - Complete compromise of confidentiality, integrity, and availability #### Severity (Recommended) - **CVSS v3.1:** AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H → 8.8 High - **CWE:** 22 (Path Traversal), 434 (Unrestricted File Upload) #### Mitigation - Do not use client-provided filenames to build paths. Save to a fixed, non-web-accessible directory using server-generated names. - Reject `../` path separators and absolute paths. Enforce content type/extension allowlists and validate XML server-side. - Run Tomcat/OpenClinica as a non-privileged user; make the web root unwritable; disable JSP execution when not required. #### Timeline - 2025-10-09: Discovered and reproduced on 3.12.2 and 3.13 images. - 2025-10-09: Attempted contact with vendor; no response. - 2025-10-23: Reported to VulDB.