PT-2022-26178 · Dhis2 · Dhis2
Philip-Larsen-Donnelly
·
Published
2022-12-08
·
Updated
2022-12-12
·
CVE-2022-41949
CVSS v3.1
5.0
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
DHIS2 versions prior to 2.36.12.1
DHIS2 versions prior to 2.37.8.1
DHIS2 versions prior to 2.38.2.1
DHIS2 versions prior to 2.39.0.1
Description
DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. In affected versions, an authenticated DHIS2 user can craft a request to DHIS2 to instruct the server to make requests to external resources, such as third-party servers. This could allow an attacker to identify vulnerable services that might not be otherwise exposed to the public internet or to determine whether a specific file is present on the DHIS2 server.
Recommendations
For versions prior to 2.36.12.1, upgrade to version 2.36.12.1.
For versions prior to 2.37.8.1, upgrade to version 2.37.8.1.
For versions prior to 2.38.2.1, upgrade to version 2.38.2.1.
For versions prior to 2.39.0.1, upgrade to version 2.39.0.1.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dhis2