Stryker Vocera Report Server and Voice Server Vulnerabilities
28-Apr-2023
Security vulnerabilities have been identified impacting the Vocera Voice Server (VS) and Vocera Report Server (VRS) web consoles. Impacted product versions contain vulnerabilities that could allow an attacker to upload arbitrary files to the server and potentially execute unauthenticated tasks as a privileged user. An attacker would require network access to the Vocera servers' admin console or report console to exploit these vulnerabilities. The vulnerabilities are described in the following CVEs:
CVE-2022-46898 Arbitrary File Upload
CVE-2022-46899 Path Traversal in Task Exec Filename
CVE-2022-46900 Access Control Violation on Database Operations
CVE-2022-46901 Path Traversal in restore SQL data filename
CVE-2022-46902 Path Traversal on Unzip operation
Products Impacted: Vocera Platform 5.x
Components Impacted:
- Vocera Report Server - Versions 5.8.0.135 and earlier
- Vocera Voice Server - Versions 5.8.0.135 and earlier
These vulnerabilities are fixed as of version 5.8.0.140 and can be resolved by upgrading to the latest version of software. Customers of the impacted products have been directly notified of these vulnerabilities and related software update. To date no incident or breach has been reported related to these vulnerabilities. For further information click here to contact Vocera Support.
For more information:
https://cve.report/CVE-2022-46898
https://cve.report/CVE-2022-46899
https://cve.report/CVE-2022-46900
ACUT-GSNPS-WEB-507558