CVE-2022-24848 The DHIS2 information system is compromised by a SQL injection vulnerability in the `/api/programs/orgUnits?programs=` endpoint. This is prior to 2.36.10.1 and 2.37.6.1
If you are running DHIS2 version 2.38.0 or later, there is no need to take any action. The latest version of DHIS2 is always available on the DHIS2 downloads page. The details of the information system vulnerability and the patch information can be found in the conclusion section of this advisory. Information about the information system vulnerability and the patch information can be found in the conclusion section of this advisory. Information about the information system vulnerability and the patch information can be found in the conclusion section of this advisory. If you have any questions, contact DHIS2 support at https://support.nic.in/contact-us. Information about the information system vulnerability and the patch information can be found in the conclusion section of this advisory. If you have any questions, contact DHIS2 support at https://support.nic.in/contact-us.
Why Is This Advisory Being Published?
DHS2 has released a new patch for its product.
The Department of Health and Human Services, India (DHIS2) has released a new patch for its product. DHIS2 is an open source software used by many government organizations in India to manage the health records of their beneficiaries. To update your software to the latest version, download it from https://www.dhiapplication.com/downloads/. The details of the information system vulnerability and the patch information can be found in the conclusion section of this advisory.
Summary of the Issue
The DHIS2 software on a Dell Vostro 1003/1011, running Windows XP with Service Pack 3 and Intel Core 2 Duo CPU P7350 @ 2.00GHz, is affected by a security issue that may allow a remote attacker to gain unauthorized access to your data.
If you are using this system, contact your support team to have it patched by April 22, 2019. If you do not receive a response within the next five business days or the patching fails, contact Support again.
Timeline
Published on: 06/01/2022 18:15:00 UTC
Last modified on: 06/08/2022 18:44:00 UTC
References
- https://github.com/dhis2/dhis2-core/pull/10953
- https://github.com/dhis2/dhis2-core/commit/ef04483a9b177d62e48dcf4e498b302a11f95e7d
- https://github.com/dhis2/dhis2-core/commit/3b245d04a58b78f0dc9bae8559f36ee4ca36dfac
- https://github.com/dhis2/dhis2-core/security/advisories/GHSA-52vp-f7hj-cj92
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24848