{"containers": {"cna": {"affected": [{"product": "dhis2-core", "vendor": "dhis2", "versions": [{"status": "affected", "version": ">= 2.32.0, < 2.32-EOS"}, {"status": "affected", "version": ">= 2.33.0, < 2.33-EOS"}, {"status": "affected", "version": ">= 2.34.0, < 2.34.7"}, {"status": "affected", "version": ">= 2.35.0, < 2.35.8"}, {"status": "affected", "version": ">= 2.36.0, < 2.36.4"}]}], "descriptions": [{"lang": "en", "value": "DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability has been found in specific versions of DHIS2. This vulnerability affects the API endpoints for /api/trackedEntityInstances and api/events in DHIS2. The system is vulnerable to attack only from users that are logged in to DHIS2, and there is no known way of exploiting the vulnerability without first being logged in as a DHIS2 user. A successful exploit of this vulnerability could allow the malicious user to read, edit and delete data in the DHIS2 instance. There are no known exploits of the security vulnerabilities addressed by these patch releases. However, we strongly recommend that all DHIS2 implementations using versions 2.32, 2.33, 2.34, 2.35 and 2.36 install these patches as soon as possible. There is no straightforward known workaround for DHIS2 instances using the Tracker functionality other than upgrading the affected DHIS2 server to one of the patches in which this vulnerability has been fixed. For implementations which do NOT use Tracker functionality, it may be possible to block all network access to POST to the /api/trackedEntityInstance and /api/events endpoints as a temporary workaround while waiting to upgrade."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-01T21:20:08", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dhis2/dhis2-core/security/advisories/GHSA-fvm5-gp3j-c7c6"}], "source": {"advisory": "GHSA-fvm5-gp3j-c7c6", "discovery": "UNKNOWN"}, "title": "SQL Injection in DHIS2 Tracker API", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41187", "STATE": "PUBLIC", "TITLE": "SQL Injection in DHIS2 Tracker API"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "dhis2-core", "version": {"version_data": [{"version_value": ">= 2.32.0, < 2.32-EOS"}, {"version_value": ">= 2.33.0, < 2.33-EOS"}, {"version_value": ">= 2.34.0, < 2.34.7"}, {"version_value": ">= 2.35.0, < 2.35.8"}, {"version_value": ">= 2.36.0, < 2.36.4"}]}}]}, "vendor_name": "dhis2"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability has been found in specific versions of DHIS2. This vulnerability affects the API endpoints for /api/trackedEntityInstances and api/events in DHIS2. The system is vulnerable to attack only from users that are logged in to DHIS2, and there is no known way of exploiting the vulnerability without first being logged in as a DHIS2 user. A successful exploit of this vulnerability could allow the malicious user to read, edit and delete data in the DHIS2 instance. There are no known exploits of the security vulnerabilities addressed by these patch releases. However, we strongly recommend that all DHIS2 implementations using versions 2.32, 2.33, 2.34, 2.35 and 2.36 install these patches as soon as possible. There is no straightforward known workaround for DHIS2 instances using the Tracker functionality other than upgrading the affected DHIS2 server to one of the patches in which this vulnerability has been fixed. For implementations which do NOT use Tracker functionality, it may be possible to block all network access to POST to the /api/trackedEntityInstance and /api/events endpoints as a temporary workaround while waiting to upgrade."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/dhis2/dhis2-core/security/advisories/GHSA-fvm5-gp3j-c7c6", "refsource": "CONFIRM", "url": "https://github.com/dhis2/dhis2-core/security/advisories/GHSA-fvm5-gp3j-c7c6"}]}, "source": {"advisory": "GHSA-fvm5-gp3j-c7c6", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:08:31.340Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/dhis2/dhis2-core/security/advisories/GHSA-fvm5-gp3j-c7c6"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41187", "datePublished": "2021-11-01T21:20:08", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T03:08:31.340Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:*", "matchCriteriaId": "6C69E468-A816-400F-8C40-69E776489B03", "versionEndIncluding": "2.32.7", "versionStartIncluding": "2.32.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:*", "matchCriteriaId": "F1742533-D56B-4B5A-AA9F-A0F32FE93B44", "versionEndIncluding": "2.33.9", "versionStartIncluding": "2.33.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:*", "matchCriteriaId": "70BAC428-459D-4336-A317-E204B77B6A86", "versionEndIncluding": "2.34.6", "versionStartIncluding": "2.34.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:*", "matchCriteriaId": "85B76519-01AA-4568-8CA6-14787775C048", "versionEndIncluding": "2.35.7", "versionStartIncluding": "2.35.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:*", "matchCriteriaId": "2FB9F269-A576-47C4-9A64-7B5F58E191B8", "versionEndIncluding": "2.36.3", "versionStartIncluding": "2.36.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability has been found in specific versions of DHIS2. This vulnerability affects the API endpoints for /api/trackedEntityInstances and api/events in DHIS2. The system is vulnerable to attack only from users that are logged in to DHIS2, and there is no known way of exploiting the vulnerability without first being logged in as a DHIS2 user. A successful exploit of this vulnerability could allow the malicious user to read, edit and delete data in the DHIS2 instance. There are no known exploits of the security vulnerabilities addressed by these patch releases. However, we strongly recommend that all DHIS2 implementations using versions 2.32, 2.33, 2.34, 2.35 and 2.36 install these patches as soon as possible. There is no straightforward known workaround for DHIS2 instances using the Tracker functionality other than upgrading the affected DHIS2 server to one of the patches in which this vulnerability has been fixed. For implementations which do NOT use Tracker functionality, it may be possible to block all network access to POST to the /api/trackedEntityInstance and /api/events endpoints as a temporary workaround while waiting to upgrade."}, {"lang": "es", "value": "DHIS 2 es un sistema de informaci\u00f3n para la captura, administraci\u00f3n, comprobaci\u00f3n, an\u00e1lisis y visualizaci\u00f3n de datos. Se ha encontrado una vulnerabilidad de seguridad de inyecci\u00f3n SQL en versiones espec\u00edficas de DHIS2. Esta vulnerabilidad afecta a los endpoints de la API para /api/trackedEntityInstances y api/events en DHIS2. El sistema es vulnerable a ataques s\u00f3lo de usuarios que han iniciado sesi\u00f3n en DHIS2, y no se presenta forma conocida de explotar la vulnerabilidad sin haber iniciado sesi\u00f3n como usuario de DHIS2. Una explotaci\u00f3n con \u00e9xito de esta vulnerabilidad podr\u00eda permitir al usuario malicioso leer, editar y borrar datos en la instancia de DHIS2. No se conocen explotaciones de las vulnerabilidades de seguridad abordadas por estos parches. Sin embargo, recomendamos encarecidamente que todas las implementaciones de DHIS2 que usen las versiones 2.32, 2.33, 2.34, 2.35 y 2.36 instalen estos parches lo antes posible. No se presenta una soluci\u00f3n directa conocida para las instancias de DHIS2 que usan la funcionalidad de Tracker, aparte de actualizar el servidor DHIS2 afectado a uno de los parches en los que ha sido corregida esta vulnerabilidad. Para las implementaciones que NO usan la funcionalidad Tracker, puede ser posible bloquear todo el acceso de red a POST a los endpoints /api/trackedEntityInstance y /api/events como una soluci\u00f3n temporal mientras se espera la actualizaci\u00f3n"}], "id": "CVE-2021-41187", "lastModified": "2021-11-02T19:59:59.007", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-11-01T22:15:07.970", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/dhis2/dhis2-core/security/advisories/GHSA-fvm5-gp3j-c7c6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}