Michael-Markevich

**Name of the Vulnerable Software and Affected Versions** DHIS2 Core versions 2.36 through 2.37.9.1 DHIS2 Core versions 2.36 through 2.38.3.1 DHIS2 Core versions 2.36 through 2.39.1.2 **Description** DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Using object model traversal in the payload of a `PATCH` request, authenticated users with write access to an object may be able to modify related objects that they should not have access to. **Recommendations** For DHIS2 Core versions 2.36 through 2.37.9.1, upgrade to version 2.37.9.1 to receive a patch. For DHIS2 Core versions 2.36 through 2.38.3.1, upgrade to version 2.38.3.1 to receive a patch. For DHIS2 Core versions 2.36 through 2.39.1.2, upgrade to version 2.39.1.2 to receive a patch. As a temporary workaround, consider blocking all `PATCH` requests on a reverse proxy, but this may cause some issues with the functionality of built-in applications using legacy `PATCH` requests.

**Name of the Vulnerable Software and Affected Versions** DHIS2 Core versions prior to 2.37.9.1 DHIS2 Core versions prior to 2.38.3.1 DHIS2 Core versions prior to 2.39.1.2 **Description** DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.37 branch, Personal Access Tokens (PATs) generate unrestricted session cookies, which may lead to a bypass of other access restrictions, such as those based on allowed IP addresses or HTTP methods. **Recommendations** For versions prior to 2.37.9.1, upgrade to version 2.37.9.1. For versions prior to 2.38.3.1, upgrade to version 2.38.3.1. For versions prior to 2.39.1.2, upgrade to version 2.39.1.2. As a temporary workaround, consider adding extra access control validations on a reverse proxy to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DHIS2 Core versions 2.35 through 2.36.12 DHIS2 Core versions 2.37 through 2.37.7 DHIS2 Core versions 2.38 through 2.38.1 DHIS2 Core versions 2.39 through 2.39.0 (exclusive of 2.39.0, as 2.39.0 contains a fix) **Description** The issue arises when the Category Option Combination Sharing settings are configured to control access to specific tracker program events or program stages. In such cases, the `/trackedEntityInstances` and `/events` API endpoints may include all events, disregarding the sharing settings applied to the category option combinations. This could allow users to access events they should not be able to see based on the sharing settings of the category options. Although these events will not appear in the user interface for web-based Tracker Capture or Capture applications, they will be displayed to the user if the Android Capture App is used. **Recommendations** For DHIS2 Core versions 2.35 through 2.36.12, update to version 2.36.13 or later. For DHIS2 Core versions 2.37 through 2.37.7, update to version 2.37.8 or later. For DHIS2 Core versions 2.38 through 2.38.1, update to version 2.38.2 or later. For DHIS2 Core versions prior to 2.39.0 (exclusive of 2.39.0), update to version 2.39.0 or later.