Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Privilege Chaining with the user admin role in dhis2-core
Vulnerability Description
DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Affected versions are subject to a privilege escalation vulnerability. A DHIS2 user with authority to manage users can assign superuser privileges to themself by manually crafting an HTTP PUT request. Only users with the following DHIS2 user role authorities can exploit this vulnerability. Note that in many systems the only users with user admin privileges are also superusers. In these cases, the escalation vulnerability does not exist. The vulnerability is only exploitable by attackers who can authenticate as users with the user admin authority. As this is usually a small and relatively trusted set of users, exploit vectors will often be limited. DHIS2 administrators should upgrade to the following hotfix releases: 2.36.12.1, 2.37.8.1, 2.38.2.1, 2.39.0.1. The only known workaround to this issue is to avoid the assignment of the user management authority to any users until the patch has been applied.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Vulnerability Type
特权管理不恰当
Vulnerability Title
DHIS 2 安全漏洞
Vulnerability Description
DHIS 2是一个应用软件。一个灵活的信息系统,用于数据捕获、管理、验证、分析和可视化。 DHIS 2 core 2.34、2.35、2.36、2.37、2.38、2.39版本存在安全漏洞,该漏洞源于有权管理用户的 DHIS2 用户可以通过手动制作 HTTP PUT 请求为自己分配超级用户权限。
CVSS Information
N/A
Vulnerability Type
N/A