Reports and Resources
CVE Number
CVE-2024-29380
Loginsoft ID
Loginsoft-2024-1011
Description
The application “Medplum” is affected by a privilege escalation vulnerability that can lead to the execution of system commands. An attacker with practitioner privileges can elevate their status to a project admin using the ProjectMembership endpoint, enabling them to execute system commands through the bot editor.
CWE
CWE-269: Improper Privilege Management
CWE-94: Improper Control of Generation of Code ('Code Injection')
Affected Versions
< v3.0.7
CVSS
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H : 8.8(High)
Steps To Reproduce
- Create a practitioner with non-admin privileges.
- Login as practitioner and navigate to the endpoint `/ProjectMembership.`
- Click on the ID of the practitioner and navigate to the edit section.
![](https://cdn.prod.website-files.com/65b289cb0ffb9c61ca03e8ed/65e81647dde533750ec57979_2fceb8eb.png)
- Scroll to the bottom and enable the admin option. By submitting the request, the practitioner will become project administrator.
![](https://cdn.prod.website-files.com/65b289cb0ffb9c61ca03e8ed/65e81648d97908d7bc0d4e8c_0ba2f48f.png)
- On reloading the browser, the changes will be reflected.
![](https://cdn.prod.website-files.com/65b289cb0ffb9c61ca03e8ed/65e81647e5e947d2e704c6e2_45c2989f.png)
- Navigate to Project under the admin section, and then proceed to Bots.
![](https://cdn.prod.website-files.com/65b289cb0ffb9c61ca03e8ed/65e8164777212e66047be221_eb38dc66.png)
- Click on the bot’s name and then open the link associated with the bot’s name.
![](https://cdn.prod.website-files.com/65b289cb0ffb9c61ca03e8ed/65e816476e024eaab7f9050b_bc687c5b.png)
- Navigate to the editor section, input the provided payload, and execute the command. This action will trigger a system command, leading to the creation of a file in the document folder.
![](https://cdn.prod.website-files.com/65b289cb0ffb9c61ca03e8ed/65e816486e024eaab7f90513_6df53244.png)
![](https://cdn.prod.website-files.com/65b289cb0ffb9c61ca03e8ed/65e8164820d945d9e0b94369_efc17a58.png)
Impact
Ability to run arbitrary commands on SYSTEM.
Mitigation:
Remove the option to change admin status or limit access to the ProjectMembership endpoint. Additionally, add filters in the bot editor to prevent the execution of system commands.
Fix
https://github.com/medplum/medplum/pull/4074
Discovered Date
15 February 2024
Reported Date
19 February 2024
Patched Date
01 March 2024
Credit
Saharsh Agrawal