CVE-2021-32104 – This SQL injection vulnerability in OpenEMR's e... (How to Fix)

Q: What is the severity of CVE-2021-32104?

CVE-2021-32104 has a CVSS score of 8.8 (HIGH). This SQL injection vulnerability in OpenEMR's eye examination form interface allows authenticated users to execute arbitrary SQL commands on the database. It affects OpenEMR installations running version 5.0.2.1, potentially compromising patient health records and system integrity.

📋 TL;DR

This SQL injection vulnerability in OpenEMR's eye examination form interface allows authenticated users to execute arbitrary SQL commands on the database. It affects OpenEMR installations running version 5.0.2.1, potentially compromising patient health records and system integrity.

💻 Affected Systems

Products:

OpenEMR

Versions: 5.0.2.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to the eye examination form interface.

📦 What is this software?

Openemr by Open Emr

View all CVEs affecting Openemr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to patient data theft, record manipulation, or full system takeover via SQL injection to command execution escalation.

🟠

Likely Case

Unauthorized access to sensitive patient health records, modification of medical data, or privilege escalation within the OpenEMR system.

🟢

If Mitigated

Limited impact if proper input validation and database permissions restrict user privileges, though SQL injection could still expose some data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection is well-documented and can be exploited with standard tools; requires user authentication but minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenEMR 5.0.2 Patch 5

Vendor Advisory: https://community.open-emr.org/t/openemr-5-0-2-patch-5-has-been-released/15431

Restart Required: No

Instructions:

1. Download OpenEMR 5.0.2 Patch 5 from the OpenEMR website. 2. Apply the patch following OpenEMR's patching instructions. 3. Verify the fix by checking that interface/forms/eye_mag/save.php has been updated.

🔧 Temporary Workarounds

Disable Eye Examination Module

linux

Temporarily disable the vulnerable eye examination form interface to prevent exploitation.

mv interface/forms/eye_mag/save.php interface/forms/eye_mag/save.php.disabled

Web Application Firewall Rules

all

Implement WAF rules to block SQL injection patterns targeting the vulnerable endpoint.

🧯 If You Can't Patch

Implement strict input validation and parameterized queries in the save.php file.
Restrict database user permissions to minimize potential damage from SQL injection.

🔍 How to Verify

Check if Vulnerable:

Check if interface/forms/eye_mag/save.php exists in OpenEMR installation and review code for lack of parameterized queries.

Check Version:

grep 'OpenEMR Version' openemr/version.php

Verify Fix Applied:

Verify that interface/forms/eye_mag/save.php has been updated with proper input sanitization or parameterized queries after patching.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by access to eye_mag forms
HTTP requests to interface/forms/eye_mag/save.php with SQL syntax in parameters

Network Indicators:

HTTP POST requests to /interface/forms/eye_mag/save.php containing SQL keywords like UNION, SELECT, INSERT

SIEM Query:

source="web_logs" AND url="/interface/forms/eye_mag/save.php" AND (query CONTAINS "UNION" OR query CONTAINS "SELECT" OR query CONTAINS "INSERT")

📊 Metadata

CVE ID: CVE-2021-32104

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: May 7, 2021

Last Updated: November 21, 2024

🔗 References

https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability Third Party Advisory
https://community.open-emr.org/t/openemr-5-0-2-patch-5-has-been-released/15431 Vendor Advisory
https://community.sonarsource.com/t/openemr-5-0-2-1-command-injection-vulnerability-puts-health-records-at-risk/33592 Third Party Advisory
https://portswigger.net/daily-swig/healthcare-security-openemr-fixes-serious-flaws-that-lead-to-command-execution-in-patient-portal Third Party Advisory
https://www.open-emr.org/wiki/index.php/Old_Outdated_OpenEMR_Patches Patch,Vendor Advisory
https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability Third Party Advisory
https://community.open-emr.org/t/openemr-5-0-2-patch-5-has-been-released/15431 Vendor Advisory
https://community.sonarsource.com/t/openemr-5-0-2-1-command-injection-vulnerability-puts-health-records-at-risk/33592 Third Party Advisory
https://portswigger.net/daily-swig/healthcare-security-openemr-fixes-serious-flaws-that-lead-to-command-execution-in-patient-portal Third Party Advisory
https://www.open-emr.org/wiki/index.php/Old_Outdated_OpenEMR_Patches Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32104, you might also want to check these: