CVE-2023-32060

Name of the Vulnerable Software and Affected Versions DHIS2 Core versions 2.35 through 2.36.12 DHIS2 Core versions 2.37 through 2.37.7 DHIS2 Core versions 2.38 through 2.38.1 DHIS2 Core versions 2.39 through 2.39.0 (exclusive of 2.39.0, as 2.39.0 contains a fix)

Description The issue arises when the Category Option Combination Sharing settings are configured to control access to specific tracker program events or program stages. In such cases, the /trackedEntityInstances and /events API endpoints may include all events, disregarding the sharing settings applied to the category option combinations. This could allow users to access events they should not be able to see based on the sharing settings of the category options. Although these events will not appear in the user interface for web-based Tracker Capture or Capture applications, they will be displayed to the user if the Android Capture App is used.

Recommendations For DHIS2 Core versions 2.35 through 2.36.12, update to version 2.36.13 or later. For DHIS2 Core versions 2.37 through 2.37.7, update to version 2.37.8 or later. For DHIS2 Core versions 2.38 through 2.38.1, update to version 2.38.2 or later. For DHIS2 Core versions prior to 2.39.0 (exclusive of 2.39.0), update to version 2.39.0 or later.