CVE-2023-54347
Authentication Bypass via Brute Force in OpenEMR 7.0.1
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | 7.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in OpenEMR 7.0.1 allows attackers to bypass rate limiting protections and perform brute force attacks on authentication, potentially leading to unauthorized access to sensitive medical records.
Such unauthorized access risks violating data protection regulations like GDPR and HIPAA, which require strict controls to protect personal health information and prevent unauthorized access.
By enabling systematic testing of username and password combinations without account lockout restrictions, this vulnerability undermines security controls that are critical for compliance with these standards.
Can you explain this vulnerability to me?
CVE-2023-54347 is an authentication brute force vulnerability in OpenEMR version 7.0.1 that allows attackers to bypass rate limiting protections.
Attackers can send repeated POST login requests with parameters authUser and clearPass to systematically test username and password combinations without triggering account lockout restrictions.
This means the system does not properly restrict excessive authentication attempts, enabling attackers to try many login credentials without being blocked.
How can this vulnerability impact me? :
This vulnerability poses a significant risk of unauthorized access to the OpenEMR system.
By bypassing rate limiting, attackers can perform brute force attacks to guess valid usernames and passwords, potentially gaining access to sensitive medical records and patient data.
Such unauthorized access can lead to data breaches, privacy violations, and compromise of the healthcare provider's system integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring repeated POST requests to the main login endpoint of OpenEMR, specifically those containing the parameters authUser and clearPass.
Network or system administrators can look for unusual patterns of authentication attempts that bypass rate limiting protections, such as a high volume of login attempts without account lockouts.
Commands to detect this activity might include using network traffic analysis tools like tcpdump or Wireshark to filter POST requests to the login endpoint, for example:
- tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /login'
- Using web server logs (e.g., Apache or Nginx), search for repeated POST requests with authUser and clearPass parameters to identify brute force attempts.
- Example grep command on web server logs: grep 'POST /login' /var/log/apache2/access.log | grep 'authUser' | grep 'clearPass'
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying any available patches or updates from OpenEMR that address this authentication brute force vulnerability.
If patches are not yet available, implement additional rate limiting or account lockout mechanisms at the web server or application firewall level to restrict repeated login attempts.
Monitoring and alerting on suspicious login activity can help detect exploitation attempts early.
Consider deploying web application firewalls (WAFs) with rules to block or throttle repeated POST requests to the login endpoint containing authUser and clearPass parameters.