Dhis 2
CVE-2023-31138
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.36 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, using object model traversal in the payload of a PATCH request, authenticated users with write access to an object may be able to modify related objects that they should not have access to. DHIS2 implementers should upgrade to a supported version of DHIS2 to receive a patch: 2.37.9.1, 2.38.3.1, or 2.39.1.2. It is possible to work around this issue by blocking all PATCH requests on a reverse proxy, but this may cause some issues with the functionality of built-in applications using legacy PATCH requests.
AnalysisAI
DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-284. DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.36 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, using object model traversal in the payload of a PATCH request, authenticated users with write access to an object may be able to modify related objects that they should not have access to. DHIS2 implementers should upgrade to a supported version of DHIS2 to receive a patch: 2.37.9.1, 2.38.3.1, or 2.39.1.2. It is possible to work around this issue by blocking all PATCH requests on a reverse proxy, but this may cause some issues with the functionality of built-in applications using legacy PATCH requests. Affected products include: Dhis2 Dhis 2.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
DHIS 2 is an information system for data capture, management, validation, analytics and visualization. Rated high severi
DHIS2 is an information system for data capture, management, validation, analytics and visualization. Rated high severit
DHIS 2 is an information system for data capture, management, validation, analytics and visualization. Rated high severi
DHIS 2 is an information system for data capture, management, validation, analytics and visualization. Rated high severi
DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Rated high severity
DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Rated
DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Rated medium severi
DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Rated
DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Rated
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today