CVE-2023-31138 : Security Advisory and Response

DHIS2 Core vulnerable to Improper Access Control with PATCH requests.

Understanding CVE-2023-31138

DHIS2 Core, which provides the service layer and Web API for DHIS2, is susceptible to Improper Access Control through PATCH requests.

What is CVE-2023-31138?

DHIS2 Core versions prior to 2.37.9.1, 2.38.3.1, and 2.39.1.2 allow authenticated users with write access to an object to modify related objects they should not have access to, via object model traversal in PATCH requests.

The Impact of CVE-2023-31138

This vulnerability poses a high integrity impact, allowing unauthorized users to manipulate sensitive data within the system.

Technical Details of CVE-2023-31138

DHIS2 Core's vulnerability lies in improper access control with PATCH requests.

Vulnerability Description

By exploiting this vulnerability, authenticated users can modify related objects beyond their intended access, compromising data integrity.

Affected Systems and Versions

Affected System: DHIS2 Core
Affected Versions: >= 2.36, < 2.37.9.1, >= 2.38, < 2.38.3.1, >= 2.39, < 2.39.1.2

Exploitation Mechanism

Users with write access to an object can leverage object model traversal in PATCH requests to manipulate unauthorized objects.

Mitigation and Prevention

To safeguard against CVE-2023-31138, DHIS2 implementers are advised to take immediate action and implement long-term security measures.

Immediate Steps to Take

Implementers should upgrade to supported DHIS2 versions - 2.37.9.1, 2.38.3.1, or 2.39.1.2. Alternatively, blocking all PATCH requests on a reverse proxy can provide a temporary workaround.

Long-Term Security Practices

Enhance access controls, regularly update systems, and monitor for unauthorized activities to prevent security breaches.

Patching and Updates

Stay informed about DHIS2 releases for security patches and apply updates promptly to mitigate vulnerabilities.