Hapi Fhir · Hapi Fhir · CVE-2021-32053
Name of the Vulnerable Software and Affected Versions:
HAPI FHIR versions prior to 5.4.0
Description:
The issue allows a user to deny service, for example, disable access to the database after the attack stops, via history requests. This occurs because of a SELECT COUNT statement that requires a full index scan, with an accompanying large amount of server resources if there are many simultaneous history requests.
Recommendations:
For versions prior to 5.4.0, update to version 5.4.0 or later to resolve the issue. As a temporary workaround, consider restricting access to history requests to minimize the risk of exploitation.