The OpenMRS Core platform has a CWE-22 path traversal vulnerability in the ModuleResourcesServlet endpoint /openmrs/moduleResources/{moduleid} in affected versions. The servlet concatenates user-supplied path input into an absolute filesystem path without normalization or boundary validation, enabling directory traversal. Because this endpoint serves static resources needed for the login page, it is accessible without authentication. Exploitation allows reading arbitrary files such as /etc/passwd or configuration files containing sensitive data. The vulnerability is exploitable only on Apache Tomcat versions prior to 8.5.31 due to lack of container-level mitigation for the ..; path bypass. OpenMRS versions after 2.7.8 and from 2.8.6 and later include fixes for this issue, though the underlying code defect remains and relies on Tomcat container protections in later versions.

Successful exploitation allows unauthenticated attackers to read arbitrary files on the server filesystem, including sensitive system files and application configuration files that may contain database credentials. This can lead to information disclosure and potentially further compromise of the affected system. The vulnerability is rated high severity with a CVSS 4.0 score of 8.2. Exploitation is limited to deployments running vulnerable OpenMRS versions on Apache Tomcat versions prior to 8.5.31.

The vulnerability is fixed in OpenMRS versions after 2.7.8 (within the 2.7.x branch) and in version 2.8.6 and later. Deployments should upgrade to these fixed versions to remediate the issue. Additionally, running Apache Tomcat version 8.5.31 or later or 9.0.10 or later provides container-level mitigation against the path traversal bypass. Since the underlying code defect remains in later OpenMRS versions, maintaining an updated Tomcat container is important. Patch status is not explicitly confirmed by a vendor advisory here, so verify current remediation guidance from OpenMRS official sources before deployment.