CVE-2024-50589

Summary

An unauthenticated attacker with access to the local network of the medical office can query an unprotected Fast Healthcare Interoperability Resources (FHIR) API to get access to sensitive electronic health records (EHR).

Affected Software

VendorProductVersion RangeStatus
HASOMEDElefant<24.04.00affected

Weaknesses

  • CWE-306: CWE-306 Missing Authentication for Critical Function

Workarounds

While workarounds such as modifying the Elefant windows firewall rules and manually adjusting file permissions in the installation folder are feasible workarounds for some of the vulnerabilities, it is recommended to install the patches provided by the vendor.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References