CVE-2021-32704

Name of the Vulnerable Software and Affected Versions DHIS2 versions 2.34.4, 2.35.2, 2.35.3, 2.35.4, and 2.36.0

Description A SQL injection security issue has been found in DHIS2, affecting the "/api/trackedEntityInstances" API endpoint. This issue can be exploited by logged-in users, allowing them to read, edit, and delete data in the DHIS2 instance. There are no known exploits of this issue, but it is recommended that all DHIS2 implementations using affected versions install patches as soon as possible.

Recommendations For versions 2.34.4, 2.35.2, 2.35.3, 2.35.4, and 2.36.0, upgrade the affected DHIS2 server to a patched version. For implementations using Tracker functionality, there is no known workaround other than upgrading. For implementations not using Tracker functionality, consider blocking all network access to POST requests to the "/api/trackedEntityInstances" endpoint as a temporary workaround while waiting to upgrade.