{"id":"CVE-2022-24830","summary":"Path Traversal in OpenClinica","details":"OpenClinica is an open source software for Electronic Data Capture (EDC) and Clinical Data Management (CDM). OpenClinica prior to version 3.16 is vulnerable to path traversal in multiple endpoints, leading to arbitrary file read/write, and potential remote code execution. There are no known workarounds. This issue has been patched and users are recommended to upgrade.","aliases":["GHSA-9rrv-prff-qph7"],"modified":"2026-04-11T22:01:30.968925Z","published":"2022-05-13T23:40:09Z","database_specific":{"cwe_ids":["CWE-22"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24830.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24830.json"},{"type":"ADVISORY","url":"https://github.com/OpenClinica/OpenClinica/security/advisories/GHSA-9rrv-prff-qph7"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24830"},{"type":"FIX","url":"https://github.com/OpenClinica/OpenClinica/commit/6f864e86543f903bd20d6f9fc7056115106441f3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openclinica/openclinica","events":[{"introduced":"0"},{"fixed":"6f864e86543f903bd20d6f9fc7056115106441f3"}]},{"type":"GIT","repo":"https://github.com/openclinica/openclinica","events":[{"introduced":"0"},{"fixed":"6f864e86543f903bd20d6f9fc7056115106441f3"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24830.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"3.13.1"}]},{"events":[{"introduced":"3.15"},{"fixed":"3.16.2"}]},{"events":[{"introduced":"0"},{"last_affected":"3.14"}]}],"vanir_signatures":[{"signature_version":"v1","id":"CVE-2022-24830-260bb36b","digest":{"function_hash":"23405224516062003947073924392557395562","length":814},"deprecated":false,"signature_type":"Function","target":{"function":"getLogFile","file":"web/src/main/java/org/akaza/openclinica/controller/BatchCRFMigrationController.java"},"source":"https://github.com/openclinica/openclinica/commit/6f864e86543f903bd20d6f9fc7056115106441f3"},{"signature_version":"v1","id":"CVE-2022-24830-2e7f70da","digest":{"function_hash":"234657055315219325602670214734841915086","length":2078},"deprecated":false,"signature_type":"Function","target":{"function":"processRequest","file":"web/src/main/java/org/akaza/openclinica/control/admin/DownloadVersionSpreadSheetServlet.java"},"source":"https://github.com/openclinica/openclinica/commit/6f864e86543f903bd20d6f9fc7056115106441f3"},{"signature_version":"v1","id":"CVE-2022-24830-559692e7","digest":{"line_hashes":["206309481730573018432363207427190191364","103620145070914726003824720043397947391","216973751371665979452078158582192114158","67170084128956727059339098065996326150","292447458775975006650529534974112855237","224348363365997953509983532060372865778","207528368548467793395099647284032462704","185641185325443876034571617407114749416","1477532649313006077962121280752156158","41940633357490735321182705663405105309","335194369210218939907971721295200987076","113592745687169385588714840462088637387"],"threshold":0.9},"deprecated":false,"signature_type":"Line","target":{"file":"web/src/main/java/org/akaza/openclinica/control/submit/DownloadAttachedFileServlet.java"},"source":"https://github.com/openclinica/openclinica/commit/6f864e86543f903bd20d6f9fc7056115106441f3"},{"signature_version":"v1","id":"CVE-2022-24830-7ff8d4d9","digest":{"line_hashes":["321111583149943870048749022851426642604","57322238968870089408175760661166775157","190231867348354698653967858349030252374","275965490682110564164281771618461701912","265741736340990104286653476708656766430","305586079839095159552116414305076973133","112399209993604989724688490097889074823","5883782155914035757742516245988957821","278215372635948840608143684060947258859","187871498222960695275829181673827815736"],"threshold":0.9},"deprecated":false,"signature_type":"Line","target":{"file":"web/src/main/java/org/akaza/openclinica/controller/BatchCRFMigrationController.java"},"source":"https://github.com/openclinica/openclinica/commit/6f864e86543f903bd20d6f9fc7056115106441f3"},{"signature_version":"v1","id":"CVE-2022-24830-8bfdfee9","digest":{"line_hashes":["37248855333758145389498810288461818839","247037111754718230144554677903543544777","287650812362278140850282022705004259252","263736744042780525683951486068153161983","158823888322643563908409399366329553517","94534415508540543113328726083107282575","95930282844480373984715805330500541455","298754562603122559635153783034920696503","91909271991309330244319673060358798134"],"threshold":0.9},"deprecated":false,"signature_type":"Line","target":{"file":"web/src/main/java/org/akaza/openclinica/control/admin/DownloadVersionSpreadSheetServlet.java"},"source":"https://github.com/openclinica/openclinica/commit/6f864e86543f903bd20d6f9fc7056115106441f3"},{"signature_version":"v1","id":"CVE-2022-24830-c937c0f9","digest":{"function_hash":"69153368324523684091796547156437595751","length":2527},"deprecated":false,"signature_type":"Function","target":{"function":"processRequest","file":"web/src/main/java/org/akaza/openclinica/control/submit/DownloadAttachedFileServlet.java"},"source":"https://github.com/openclinica/openclinica/commit/6f864e86543f903bd20d6f9fc7056115106441f3"},{"signature_version":"v1","id":"CVE-2022-24830-ce447e1b","digest":{"line_hashes":["89553369513457510002644685752212612516","252927144553127190582104067743849680567","283378749445381202388050117448619465234","86669090152904215190073154541615242733","12723857133259835581038995937780863320","179544339106436355956978410604061462172","127904062739390938240582862972226753833","259361986638640095999742258631702318254","94692607786772291549200763864984402236","149790767446008286931124940248131360141","209787669317163188595090352368606156357","92049529750622594583064505518535587193","187306612441184051864276049895811909722","10489489572905481645401227439464344812","178255906587784515769245076180027976869","315335268275631670450896689511954029556"],"threshold":0.9},"deprecated":false,"signature_type":"Line","target":{"file":"web/src/main/java/org/akaza/openclinica/controller/openrosa/OpenRosaSubmissionController.java"},"source":"https://github.com/openclinica/openclinica/commit/6f864e86543f903bd20d6f9fc7056115106441f3"},{"signature_version":"v1","id":"CVE-2022-24830-d114b41e","digest":{"function_hash":"127861748150570354127264849693866406851","length":366},"deprecated":false,"signature_type":"Function","target":{"function":"getAttachedFilePath","file":"web/src/main/java/org/akaza/openclinica/controller/openrosa/OpenRosaSubmissionController.java"},"source":"https://github.com/openclinica/openclinica/commit/6f864e86543f903bd20d6f9fc7056115106441f3"}],"vanir_signatures_modified":"2026-04-11T22:01:30Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}