1. Home
  2. CVE Database
  3. CVE-2023-31138
HIGH · 7.1

CVE-2023-31138

DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.36 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, using object mo...

Vulnerability Description

DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.36 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, using object model traversal in the payload of a PATCH request, authenticated users with write access to an object may be able to modify related objects that they should not have access to. DHIS2 implementers should upgrade to a supported version of DHIS2 to receive a patch: 2.37.9.1, 2.38.3.1, or 2.39.1.2. It is possible to work around this issue by blocking all PATCH requests on a reverse proxy, but this may cause some issues with the functionality of built-in applications using legacy PATCH requests.

CVSS Score

7.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
LOW

Affected Products

VendorProductVersions
Dhis2Dhis 2>= 2.36.0, < 2.37.9.1

Related Weaknesses (CWE)

CWE-284CWE-863

References

FAQ

What is CVE-2023-31138?

CVE-2023-31138 is a vulnerability with a CVSS score of 7.1 (HIGH). DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.36 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, using object mo...

How severe is CVE-2023-31138?

CVE-2023-31138 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-31138?

Check the references section above for vendor advisories and patch information. Affected products include: Dhis2 Dhis 2.