CVE-2022-1067

Summary

Navigating to a specific URL with a patient ID number will result in the server generating a PDF of a lab report without authentication and rate limiting.

Affected Software

VendorProductVersion RangeStatus
LifePoint InformaticsPatient PortalAll < LPI 3.5.12.P30affected

Weaknesses

  • CWE-288: CWE-288 Authentication Bypass Using an Alternate Path or Channel

Workarounds

LifePoint Informatics released and deployed updated Version LPI 3.5.15 in February of 2022, which mitigated this vulnerability. LifePoint Informatics Patient Portal is a hosted application and users don’t need to take any action.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References