Vulnerability Details : CVE-2023-31139
DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.37 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, Personal Access Tokens (PATs) generate unrestricted session cookies. This may lead to a bypass of other access restrictions (for example, based on allowed IP addresses or HTTP methods). DHIS2 implementers should upgrade to a supported version of DHIS2: 2.37.9.1, 2.38.3.1, or 2.39.1.2. Implementers can work around this issue by adding extra access control validations on a reverse proxy.
Products affected by CVE-2023-31139
- cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:*
- cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:*
- cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-31139
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 44 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-31139
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST | |
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2023-31139
-
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-31139
-
https://github.com/dhis2/dhis2-releases/blob/master/releases/2.38/ReleaseNote-2.38.3.1.md
dhis2-releases/ReleaseNote-2.38.3.1.md at master · dhis2/dhis2-releases · GitHubRelease Notes
-
https://github.com/dhis2/dhis2-releases/blob/master/releases/2.37/ReleaseNote-2.37.9.1.md
dhis2-releases/ReleaseNote-2.37.9.1.md at master · dhis2/dhis2-releases · GitHubRelease Notes
-
https://github.com/dhis2/dhis2-releases/blob/master/releases/2.39/ReleaseNote-2.39.1.2.md
dhis2-releases/ReleaseNote-2.39.1.2.md at master · dhis2/dhis2-releases · GitHubRelease Notes
-
https://github.com/dhis2/dhis2-core/security/advisories/GHSA-44g3-9mp4-prv3
Unrestricted session cookies with PATs · Advisory · dhis2/dhis2-core · GitHubThird Party Advisory
Jump to