Skip to content

Improper access control with PATCH requests

High
michael-markevich published GHSA-pwvw-4m67-f4g2 May 4, 2023

Package

dhis2-core (dhis2)

Affected versions

2.36, 2.37, 2.38, 2.39

Patched versions

2.37.9.1, 2.38.3.1, 2.39.1.2

Description

Impact

Using object model traversal in the payload of a PATCH request, authenticated users with write access to an object may be able to modify related objects that they should not have access to.

Patches

DHIS2 implementers should upgrade to a supported version of DHIS2: 2.37.9.1, 2.38.3.1, or 2.39.1.2.

Workarounds

It is possible to work around this issue by blocking all PATCH requests on a reverse proxy, but this may cause some issues with the functionality of built-in applications using legacy PATCH requests (for example, in the user management app).

For more information

If you have any questions or comments about this advisory, please email us at security@dhis2.org.

References

Severity

High
7.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

CVE ID

CVE-2023-31138

Weaknesses