Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2022-24848
HistoryJun 01, 2022 - 6:15 p.m.

CVE-2022-24848

2022-06-0118:15:07
CWE-89
[email protected]
web.nvd.nist.gov
710
2
dhis2
sql injection
security vulnerability
api
data capture
data management
data validation
analytics
visualization
cve-2022-24848

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

65.3%

JSON

DHIS2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability affects the /api/programs/orgUnits?programs= API endpoint in DHIS2 versions prior to 2.36.10.1 and 2.37.6.1. The system is vulnerable to attack only from users that are logged in to DHIS2, and there is no known way of exploiting the vulnerability without first being logged in as a DHIS2 user. The vulnerability is not exposed to a non-malicious user and requires a conscious attack to be exploited. A successful exploit of this vulnerability could allow the malicious user to read, edit and delete data in the DHIS2 instance’s database. Security patches are now available for DHIS2 versions 2.36.10.1 and 2.37.6.1. One may apply mitigations at the web proxy level as a workaround. More information about these mitigations is available in the GitHub Security Advisory.

Affected configurations

Vulners
NVD
Node
dhis2dhis_2Range2.36.10
OR
dhis2dhis_2Range2.372.37.6
VendorProductVersionCPE
dhis2dhis_2*cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:*
dhis2dhis_2*cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "product": "dhis2-core",
    "vendor": "dhis2",
    "versions": [
      {
        "status": "affected",
        "version": "<= 2.36.10"
      },
      {
        "status": "affected",
        "version": ">= 2.37, <= 2.37.6"
      }
    ]
  }
]

Social References

More

Related

nvd 1
prion 1
cvelist 1
osv 1
cnvd 1
nvd
nvd
CVE-2022-24848
2022-06-01 18:15:07
prion
prion
Sql injection
2022-06-01 18:15:00
cvelist
cvelist
CVE-2022-24848 SQL Injection in DHIS2's in OrgUnit program association
2022-06-01 17:20:14
osv
osv
CVE-2022-24848
2022-06-01 18:15:07
cnvd
cnvd
DHIS2 SQL Injection Vulnerability
2022-06-02 00:00:00

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

65.3%

JSON
Related for CVE-2022-24848
nvd1prion1cvelist1osv1cnvd1