Vulnerability Details : CVE-2022-41948
DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Affected versions are subject to a privilege escalation vulnerability. A DHIS2 user with authority to manage users can assign superuser privileges to themself by manually crafting an HTTP PUT request. Only users with the following DHIS2 user role authorities can exploit this vulnerability. Note that in many systems the only users with user admin privileges are also superusers. In these cases, the escalation vulnerability does not exist. The vulnerability is only exploitable by attackers who can authenticate as users with the user admin authority. As this is usually a small and relatively trusted set of users, exploit vectors will often be limited. DHIS2 administrators should upgrade to the following hotfix releases: 2.36.12.1, 2.37.8.1, 2.38.2.1, 2.39.0.1. The only known workaround to this issue is to avoid the assignment of the user management authority to any users until the patch has been applied.
Vulnerability category: Gain privilege
Products affected by CVE-2022-41948
- cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:*
- cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:*
- cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:*
- cpe:2.3:a:dhis2:dhis_2:2.39.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-41948
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 43 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-41948
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST | |
6.7
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L |
1.2
|
5.5
|
GitHub, Inc. |
CWE ids for CVE-2022-41948
-
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-41948
-
https://github.com/dhis2/dhis2-core/security/advisories/GHSA-59fm-8432-2426
Privilege Chaining with the user admin role in dhis2-core · Advisory · dhis2/dhis2-core · GitHubThird Party Advisory
Jump to