CVE-2022-39230 - OpenCVE

fhir-works-on-aws-authz-smart is an implementation of the authorization interface from the FHIR Works interface. Versions 3.1.1 and 3.1.2 are subject to Exposure of Sensitive Information to an Unauthorized Actor. This issue allows a client of the API to retrieve more information than the client’s OAuth scope permits when making “search-type” requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access. Users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 should upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected. There is no workaround for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Amazon	Fhir-works-on-aws-authz-smart

Configuration 1 [-]

cpe:2.3:a:amazon:fhir-works-on-aws-authz-smart:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/awslabs/fhir-works-on-aws-authz-smart/security/advisories/GHSA-vv7x-7w4m-q72f

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-09-23T07:10:08

Updated: 2024-08-03T12:00:43.326Z

Reserved: 2022-09-02T00:00:00

Link: CVE-2022-39230

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-09-23T07:15:09.380

Modified: 2022-09-26T17:20:26.010

Link: CVE-2022-39230

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "fhir-works-on-aws-authz-smart", "vendor": "awslabs", "versions": [{"status": "affected", "version": "> 3.1.0, < 3.1.3"}]}], "descriptions": [{"lang": "en", "value": "fhir-works-on-aws-authz-smart is an implementation of the authorization interface from the FHIR Works interface. Versions 3.1.1 and 3.1.2 are subject to Exposure of Sensitive Information to an Unauthorized Actor. This issue allows a client of the API to retrieve more information than the client\u2019s OAuth scope permits when making \u201csearch-type\u201d requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access. Users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 should upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected. There is no workaround for this issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-23T07:10:08", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/awslabs/fhir-works-on-aws-authz-smart/security/advisories/GHSA-vv7x-7w4m-q72f"}], "source": {"advisory": "GHSA-vv7x-7w4m-q72f", "discovery": "UNKNOWN"}, "title": "Security issue in fhir-works-on-aws-authz-smart", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-39230", "STATE": "PUBLIC", "TITLE": "Security issue in fhir-works-on-aws-authz-smart"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "fhir-works-on-aws-authz-smart", "version": {"version_data": [{"version_value": "> 3.1.0, < 3.1.3"}]}}]}, "vendor_name": "awslabs"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "fhir-works-on-aws-authz-smart is an implementation of the authorization interface from the FHIR Works interface. Versions 3.1.1 and 3.1.2 are subject to Exposure of Sensitive Information to an Unauthorized Actor. This issue allows a client of the API to retrieve more information than the client\u2019s OAuth scope permits when making \u201csearch-type\u201d requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access. Users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 should upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected. There is no workaround for this issue."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://github.com/awslabs/fhir-works-on-aws-authz-smart/security/advisories/GHSA-vv7x-7w4m-q72f", "refsource": "CONFIRM", "url": "https://github.com/awslabs/fhir-works-on-aws-authz-smart/security/advisories/GHSA-vv7x-7w4m-q72f"}]}, "source": {"advisory": "GHSA-vv7x-7w4m-q72f", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.326Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/awslabs/fhir-works-on-aws-authz-smart/security/advisories/GHSA-vv7x-7w4m-q72f"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-39230", "datePublished": "2022-09-23T07:10:08", "dateReserved": "2022-09-02T00:00:00", "dateUpdated": "2024-08-03T12:00:43.326Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:amazon:fhir-works-on-aws-authz-smart:*:*:*:*:*:*:*:*", "matchCriteriaId": "40A55A80-6A24-44DD-982C-F4F233932D72", "versionEndExcluding": "3.1.3", "versionStartIncluding": "3.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "fhir-works-on-aws-authz-smart is an implementation of the authorization interface from the FHIR Works interface. Versions 3.1.1 and 3.1.2 are subject to Exposure of Sensitive Information to an Unauthorized Actor. This issue allows a client of the API to retrieve more information than the client\u2019s OAuth scope permits when making \u201csearch-type\u201d requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access. Users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 should upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected. There is no workaround for this issue."}, {"lang": "es", "value": "fhir-works-on-aws-authz-smart es una implementaci\u00f3n de la interfaz de autorizaci\u00f3n de la interfaz FHIR Works. Las versiones 3.1.1 y 3.1.2, est\u00e1n sujetas a una Exposici\u00f3n de Informaci\u00f3n Confidencial a un Actor No Autorizado. Este problema permite que un cliente de la API recupere m\u00e1s informaci\u00f3n de la que permite el \u00e1mbito de OAuth del cliente cuando realiza peticiones de tipo \"search-type\". Este problema no permitir\u00eda a un cliente recuperar informaci\u00f3n sobre individuos distintos de aquellos a los que el cliente ya estaba autorizado a acceder. Los usuarios de fhir-works-on-aws-authz-smart versiones 3.1.1 o 3.1.2, deben actualizar a versi\u00f3n 3.1.3 o superior inmediatamente. Las versiones 3.1.0 y anteriores no est\u00e1n afectadas. No se presenta ninguna mitigaci\u00f3n para este problema."}], "id": "CVE-2022-39230", "lastModified": "2022-09-26T17:20:26.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-09-23T07:15:09.380", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/awslabs/fhir-works-on-aws-authz-smart/security/advisories/GHSA-vv7x-7w4m-q72f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}