CVE-2022-41949

Published: Dec 8, 2022

Modified: Apr 23, 2025

PUBLISHED

CVSS v3.1

5.0

MEDIUM

Description

DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. In affected versions an authenticated DHIS2 user can craft a request to DHIS2 to instruct the server to make requests to external resources (like third party servers). This could allow an attacker, for example, to identify vulnerable services which might not be otherwise exposed to the public internet or to determine whether a specific file is present on the DHIS2 server. DHIS2 administrators should upgrade to the following hotfix releases: 2.36.12.1, 2.37.8.1, 2.38.2.1, 2.39.0.1. At this time, there is no known workaround or mitigation for this vulnerability.

Vendor	Product	Versions
dhis2	dhis2-core	affected `< 2.36.12.1` affected `>= 2.37.0.0, < 2.37.8.1` affected `>= 2.38.0.0, < 2.38.2.1` affected `>= 2.39.0.0, < 2.39.0.1`

Weaknesses (CWE)

CWE-918

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/dhis2/dhis2-core/security/advisories/GHSA-6qh9-rxc8-7943

x_refsource_CONFIRM

https://github.com/dhis2/dhis2-core/commit/dc3166c216da53e12a16bfdc51055823b838c1c3

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-41949

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References