CVE-2021-39179

Name of the Vulnerable Software and Affected Versions DHIS2 versions 2.32 through 2.36

Description A SQL Injection vulnerability in the Tracker component in DHIS2 Server allows authenticated remote attackers to execute arbitrary SQL commands via unspecified vectors, affecting the "/api/trackedEntityInstances" and "/api/trackedEntityInstances/query" API endpoints. The system is vulnerable to attack only from users that are logged in to DHIS2, and there is no known way of exploiting the vulnerability without first being logged in as a DHIS2 user. A successful exploit of this vulnerability could allow the malicious user to read, edit and delete data in the DHIS2 instance.

Recommendations For versions 2.32 and 2.33, upgrade to the latest end of support builds, 2.32-EOS and 2.33-EOS, respectively. For versions 2.34, 2.35, and 2.36, upgrade to versions 2.34.7, 2.35.7, and 2.36.4, respectively. As a temporary workaround for implementations that do not use Tracker functionality, consider blocking all network access to POST requests to the "/api/trackedEntityInstances" and "/api/trackedEntityInstances/query" endpoints.