CVE-2022-41948

Name of the Vulnerable Software and Affected Versions DHIS 2 versions prior to 2.36.12.1 DHIS 2 versions prior to 2.37.8.1 DHIS 2 versions prior to 2.38.2.1 DHIS 2 versions prior to 2.39.0.1

Description DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Affected versions are subject to a privilege escalation vulnerability. A DHIS2 user with authority to manage users can assign superuser privileges to themself by manually crafting an HTTP PUT request. Only users with the DHIS2 user role authorities can exploit this vulnerability. The vulnerability is only exploitable by attackers who can authenticate as users with the user admin authority. As this is usually a small and relatively trusted set of users, exploit vectors will often be limited.

Recommendations For DHIS 2 versions prior to 2.36.12.1, upgrade to version 2.36.12.1. For DHIS 2 versions prior to 2.37.8.1, upgrade to version 2.37.8.1. For DHIS 2 versions prior to 2.38.2.1, upgrade to version 2.38.2.1. For DHIS 2 versions prior to 2.39.0.1, upgrade to version 2.39.0.1. As a temporary workaround, consider avoiding the assignment of the user management authority to any users until the patch has been applied.