CVE-2022-23612 is a path traversal vulnerability affecting multiple versions of openmrs-core, a widely used open-source electronic medical record (EMR) system designed for healthcare providers. The vulnerability arises from improper sanitization of user-supplied input in HTTP GET requests targeting the `/images` and `/initfilter/scripts` endpoints. Specifically, the application fails to correctly limit pathname inputs to a restricted directory, allowing an attacker to craft requests that traverse directories and access arbitrary files on the underlying server filesystem. The exploitability depends on the permissions of the user account under which the OpenMRS application runs, potentially exposing sensitive files such as configuration files, patient records, or system credentials. The vulnerability affects openmrs-core versions from 1.6 up to but not including 2.1.5, and similarly for minor versions 2.2.0 to 2.2.1, 2.3.0 to 2.3.5, 2.4.0 to 2.4.5, and 2.5.0 to 2.5.3. Mitigation involves upgrading to the latest patched versions within each minor version series. Additionally, the vulnerability is partially mitigated by Tomcat's URL normalization feature available in Tomcat 7.0.28 and later, which normalizes and blocks path traversal attempts. Organizations running older Tomcat versions should upgrade both Tomcat and OpenMRS to reduce risk. No known exploits have been reported in the wild, but the vulnerability's nature and the sensitivity of healthcare data make it a significant concern. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a common and critical web application security issue.

For European healthcare organizations using OpenMRS, this vulnerability poses a significant risk to the confidentiality and integrity of patient data and other sensitive information. Successful exploitation could allow unauthorized actors to exfiltrate files containing personal health information (PHI), internal configurations, or credentials, potentially leading to data breaches, regulatory non-compliance (e.g., GDPR violations), and reputational damage. The availability impact is lower, as the vulnerability primarily enables information disclosure rather than denial of service. However, attackers could leverage accessed files to escalate privileges or further compromise systems, increasing overall risk. Given the critical role of EMR systems in patient care, any compromise could disrupt healthcare delivery and erode trust. The medium severity rating reflects the balance between the ease of exploitation (no authentication required, user interaction not needed) and the requirement that the attacker can reach the vulnerable endpoints. The scope includes all affected OpenMRS instances running vulnerable versions, especially those deployed in healthcare institutions across Europe.

1. Immediate upgrade of openmrs-core to the latest patched versions for the respective minor versions (2.1.5, 2.2.1, 2.3.5, 2.4.5, or 2.5.3) to ensure the vulnerability is addressed. 2. Upgrade Apache Tomcat to version 7.0.28 or later to benefit from URL normalization that mitigates path traversal attempts. 3. Implement strict input validation and sanitization on all user-supplied parameters, especially those used in file path construction, to prevent directory traversal sequences such as '../'. 4. Restrict file system permissions for the OpenMRS application user to the minimum necessary, limiting access to sensitive files and directories. 5. Employ web application firewalls (WAFs) with rules designed to detect and block path traversal patterns targeting the vulnerable endpoints. 6. Conduct regular security audits and penetration testing focused on web application vulnerabilities, including path traversal. 7. Monitor application logs for suspicious access patterns to `/images` and `/initfilter/scripts` endpoints that may indicate exploitation attempts. 8. Educate IT and security staff about the vulnerability and ensure timely patch management processes are in place.