Skip to content

Unrestricted session cookies with PATs

Moderate
michael-markevich published GHSA-44g3-9mp4-prv3 May 8, 2023

Package

dhis2-core (dhis2)

Affected versions

>= 2.37

Patched versions

2.37.9.1, 2.38.3.1, 2.39.1.2

Description

Impact

We discovered that Personal Access Tokens (PATs), introduced in version 2.37, generate unrestricted session cookies. This may lead to a bypass of other access restrictions (for example, based on allowed IP addresses or HTTP methods).

Patches

DHIS2 implementers should upgrade to a supported version of DHIS2: 2.37.9.1, 2.38.3.1, or 2.39.1.2.

Workarounds

You can workaround this issue by adding extra access control validations on a reverse proxy.

For more information

If you have any questions or comments about this advisory, please email us at security@dhis2.org.

References

Severity

Moderate
4.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVE ID

CVE-2023-31139

Weaknesses