CVE-2023-31139 MEDIUM

CVE-2023-31139: DHIS2 Core unrestricted session cookies with Personal Access Tokens

Vendor Dhis2

Product dhis2-core

Weakness CWE-613 · Insufficient session expiration

Published May 9, 2023

Last update January 28, 2025

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.37 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, Personal Access Tokens (PATs) generate unrestricted session cookies. This may lead to a bypass of other access restrictions (for example, based on allowed IP addresses or HTTP methods). DHIS2 implementers should upgrade to a supported version of DHIS2: 2.37.9.1, 2.38.3.1, or 2.39.1.2. Implementers can work around this issue by adding extra access control validations on a reverse proxy.

Key dates

02Disclosure timeline

May 9, 2023 CVE published

January 28, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-31139 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/613.html

Related vulnerabilities

Identifiers

CVE CVE-2023-31139

CWE CWE-613

CVSS 4.3 / MEDIUM

Affected versions

Vendor Dhis2

Product dhis2-core

Affected >= 2.37, < 2.37.9.1

Vendor Dhis2

Product dhis2-core

Affected >= 2.38, < 2.38.3.1

Vendor Dhis2

Product dhis2-core

Affected >= 2.39, < 2.39.1.2

CVE-2023-31139: DHIS2 Core unrestricted session cookies with Personal Access Tokens

01Description

02Disclosure timeline

03References

04Related CVE