JPA Server in HAPI FHIR before 5.4.0 allows a user to deny service (e.g., disable access to the database after the attack stops) via history requests. This occurs because of a SELECT COUNT statement that requires a full index scan, with an accompanying large amount of server resources if there are many simultaneous history requests.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2021-05-10T20:43:45
Updated: 2024-08-03T23:17:28.817Z
Reserved: 2021-05-05T00:00:00
Link: CVE-2021-32053
Vulnrichment
No data.
NVD
Status : Modified
Published: 2021-05-10T21:15:07.883
Modified: 2024-11-21T06:06:46.340
Link: CVE-2021-32053
Redhat
No data.