CVE Number
CVE-2024-29380
Loginsoft ID
Loginsoft-2024-1011
Description
The application “Medplum” is affected by a privilege escalation vulnerability that can lead to the execution of system commands. An attacker with practitioner privileges can elevate their status to a project admin using the ProjectMembership endpoint, enabling them to execute system commands through the bot editor.
CWE
CWE-269: Improper Privilege Management
CWE-94: Improper Control of Generation of Code ('Code Injection')
Affected Versions
< v3.0.7
CVSS
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H : 8.8(High)
Steps To Reproduce
- Create a practitioner with non-admin privileges.
- Login as practitioner and navigate to the endpoint `/ProjectMembership.`
- Click on the ID of the practitioner and navigate to the edit section.
- Scroll to the bottom and enable the admin option. By submitting the request, the practitioner will become project administrator.
- On reloading the browser, the changes will be reflected.
- Navigate to Project under the admin section, and then proceed to Bots.
- Click on the bot’s name and then open the link associated with the bot’s name.
- Navigate to the editor section, input the provided payload, and execute the command. This action will trigger a system command, leading to the creation of a file in the document folder.
Impact
Ability to run arbitrary commands on SYSTEM.
Mitigation:
Remove the option to change admin status or limit access to the ProjectMembership endpoint. Additionally, add filters in the bot editor to prevent the execution of system commands.
Fix
https://github.com/medplum/medplum/pull/4074
Discovered Date
15 February 2024
Reported Date
19 February 2024
Patched Date
01 March 2024
Credit
Saharsh Agrawal