Cyber Resilience

CVE-2022-1461

MediumPublic PoC

Published: 25 April 2022

Published
25 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0165 82.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-1461 is a medium-severity Insufficient Granularity of Access Control (CWE-1220) vulnerability in Open-Emr Openemr. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 17.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Non Privilege User can Enable or Disable Registered in GitHub repository openemr/openemr prior to 6.1.0.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

open-emr
openemr
≤ 6.1.0.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-1220

Use of granular security and privacy attributes enables finer access control than coarse permission models alone.

addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

addresses: CWE-1220

Documenting interface characteristics enables more granular control over internal access.

addresses: CWE-1220

Requires the architecture to describe granularity and placement of controls, preventing insufficiently fine-grained access decisions.

addresses: CWE-1220

Provides the necessary granularity by placing system management functions outside the reach of user-level access controls.

addresses: CWE-1220

Isolation supplies an explicit, enforceable granularity boundary between security and non-security functions that coarser access-control schemes lack.

References