CVE-2022-1067 - Vulnerability Details - OpenCVE

Description

Navigating to a specific URL with a patient ID number will result in the server generating a PDF of a lab report without authentication and rate limiting.

Published: 2022-04-11

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

LifePoint Informatics

Patient Portal

affected

Version	Status	Constraints
`All`	affected	< LPI 3.5.12.P30

Configuration 1 [-]

cpe:2.3:a:lifepoint:patient_portal:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Workaround

LifePoint Informatics released and deployed updated Version LPI 3.5.15 in February of 2022, which mitigated this vulnerability. LifePoint Informatics Patient Portal is a hosted application and users don’t need to take any action.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-24411	Navigating to a specific URL with a patient ID number will result in the server generating a PDF of a lab report without authentication and rate limiting.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00149.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsma-22-095-01

History

Wed, 16 Apr 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Lifepoint Patient Portal

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-04-11T19:38:15.631Z

Updated: 2025-04-16T16:31:04.569Z

Reserved: 2022-03-24T00:00:00.000Z

Link: CVE-2022-1067

Vulnrichment

Updated: 2024-08-02T23:47:43.331Z

NVD

Status : Modified

Published: 2022-04-11T20:15:16.797

Modified: 2024-11-21T06:39:58.037

Link: CVE-2022-1067

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"containers": {"cna": {"affected": [{"product": "Patient Portal", "vendor": "LifePoint Informatics", "versions": [{"lessThan": "LPI 3.5.12.P30", "status": "affected", "version": "All", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Andrew Perrong reported this vulnerability to CISA."}], "datePublic": "2022-04-05T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Navigating to a specific URL with a patient ID number will result in the server generating a PDF of a lab report without authentication and rate limiting."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-11T19:38:15.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-095-01"}], "source": {"advisory": "ICSMA-22-095-01", "discovery": "EXTERNAL"}, "title": "ICSMA-22-095-01 LifePoint Informatics Patient Portal", "workarounds": [{"lang": "en", "value": "LifePoint Informatics released and deployed updated Version LPI 3.5.15 in February of 2022, which mitigated this vulnerability. LifePoint Informatics Patient Portal is a hosted application and users don\u2019t need to take any action."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-04-05T17:00:00.000Z", "ID": "CVE-2022-1067", "STATE": "PUBLIC", "TITLE": "ICSMA-22-095-01 LifePoint Informatics Patient Portal"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Patient Portal", "version": {"version_data": [{"version_affected": "<", "version_name": "All", "version_value": "LPI 3.5.12.P30"}]}}]}, "vendor_name": "LifePoint Informatics"}]}}, "credit": [{"lang": "eng", "value": "Andrew Perrong reported this vulnerability to CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Navigating to a specific URL with a patient ID number will result in the server generating a PDF of a lab report without authentication and rate limiting."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-095-01", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-095-01"}]}, "source": {"advisory": "ICSMA-22-095-01", "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "LifePoint Informatics released and deployed updated Version LPI 3.5.15 in February of 2022, which mitigated this vulnerability. LifePoint Informatics Patient Portal is a hosted application and users don\u2019t need to take any action."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:47:43.331Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-095-01"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-16T15:54:50.788273Z", "id": "CVE-2022-1067", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T16:31:04.569Z"}}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-1067", "datePublished": "2022-04-11T19:38:15.631Z", "dateReserved": "2022-03-24T00:00:00.000Z", "dateUpdated": "2025-04-16T16:31:04.569Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"containers": {"cna": {"affected": [{"product": "Patient Portal", "vendor": "LifePoint Informatics", "versions": [{"lessThan": "LPI 3.5.12.P30", "status": "affected", "version": "All", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Andrew Perrong reported this vulnerability to CISA."}], "datePublic": "2022-04-05T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Navigating to a specific URL with a patient ID number will result in the server generating a PDF of a lab report without authentication and rate limiting."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-11T19:38:15.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-095-01"}], "source": {"advisory": "ICSMA-22-095-01", "discovery": "EXTERNAL"}, "title": "ICSMA-22-095-01 LifePoint Informatics Patient Portal", "workarounds": [{"lang": "en", "value": "LifePoint Informatics released and deployed updated Version LPI 3.5.15 in February of 2022, which mitigated this vulnerability. LifePoint Informatics Patient Portal is a hosted application and users don\u2019t need to take any action."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-04-05T17:00:00.000Z", "ID": "CVE-2022-1067", "STATE": "PUBLIC", "TITLE": "ICSMA-22-095-01 LifePoint Informatics Patient Portal"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Patient Portal", "version": {"version_data": [{"version_affected": "<", "version_name": "All", "version_value": "LPI 3.5.12.P30"}]}}]}, "vendor_name": "LifePoint Informatics"}]}}, "credit": [{"lang": "eng", "value": "Andrew Perrong reported this vulnerability to CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Navigating to a specific URL with a patient ID number will result in the server generating a PDF of a lab report without authentication and rate limiting."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-095-01", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-095-01"}]}, "source": {"advisory": "ICSMA-22-095-01", "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "LifePoint Informatics released and deployed updated Version LPI 3.5.15 in February of 2022, which mitigated this vulnerability. LifePoint Informatics Patient Portal is a hosted application and users don\u2019t need to take any action."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:47:43.331Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-095-01"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-1067", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-16T15:54:50.788273Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T15:54:52.728Z"}}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-1067", "datePublished": "2022-04-11T19:38:15.631Z", "dateReserved": "2022-03-24T00:00:00.000Z", "dateUpdated": "2025-04-16T16:31:04.569Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lifepoint:patient_portal:*:*:*:*:*:*:*:*", "matchCriteriaId": "D37846CC-DAF9-4E1B-9045-A8D904BEDD7A", "versionEndExcluding": "lpi_3.5.12.p30", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Navigating to a specific URL with a patient ID number will result in the server generating a PDF of a lab report without authentication and rate limiting."}, {"lang": "es", "value": "Si es navegado a una URL espec\u00edfica con un n\u00famero de identificaci\u00f3n de paciente, el servidor genera un PDF de un informe de laboratorio sin autenticaci\u00f3n ni limitaci\u00f3n de velocidad"}], "id": "CVE-2022-1067", "lastModified": "2024-11-21T06:39:58.037", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-11T20:15:16.797", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-095-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-095-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}