CVE-2021-41187

Name of the Vulnerable Software and Affected Versions DHIS2 versions 2.32 through 2.36

Description DHIS2 is an information system for data capture, management, validation, analytics, and visualization. A SQL injection security issue has been found in specific versions of DHIS2, affecting the API endpoints for "/api/trackedEntityInstances" and "/api/events". The system is vulnerable to attack only from users that are logged in to DHIS2, and there is no known way of exploiting the issue without first being logged in as a DHIS2 user. A successful exploit could allow the malicious user to read, edit, and delete data in the DHIS2 instance. There are no known exploits of the security issues addressed by these patch releases.

Recommendations For versions 2.32 through 2.36, install the patches as soon as possible to fix the issue. As a temporary workaround for implementations that do not use Tracker functionality, consider blocking all network access to POST requests to the "/api/trackedEntityInstance" and "/api/events" endpoints while waiting to upgrade. For implementations using Tracker functionality, there is no straightforward known workaround other than upgrading the affected DHIS2 server to one of the patches in which this issue has been fixed.