CVE-2023-40279
Published: 19 March 2024
Summary
CVE-2023-40279 is a high-severity Path Traversal (CWE-22) vulnerability in Openclinic Ga Project Openclinic Ga. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
OpenClinic GA version 5.247.01 contains a path traversal vulnerability (CWE-22) that allows an unauthenticated remote attacker to supply an arbitrary directory path through the Page parameter of a GET request to main.do. The flaw received a CVSS 3.1 score of 7.5, reflecting network attackability, low complexity, and high confidentiality impact with no required privileges or user interaction.
An attacker can therefore retrieve files outside the intended web root, exposing sensitive configuration data, source code, or other restricted content stored on the server. The published proof-of-concept report demonstrates successful traversal without authentication, confirming that any reachable instance is directly exposed to information disclosure.
EPSS scores have remained near 0.20 with only a negligible peak-to-current difference, indicating limited observed exploitation interest since disclosure. No vendor advisory or patch information appears in the referenced project pages or reports.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-44872
Vulnerability details
An issue was discovered in OpenClinic GA 5.247.01. An attacker can perform a directory path traversal via the Page parameter in a GET request to main.do.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.