CVE-2023-32060 in DHIS2
Summary
by MITRE • 05/09/2023
DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.35 branch and prior to versions 2.36.13, 2.37.8, 2.38.2, and 2.39.0, when the Category Option Combination Sharing settings are configured to control access to specific tracker program events or program stages, the `/trackedEntityInstances` and `/events` API endpoints may include all events regardless of the sharing settings applied to the category option combinations. When this specific configuration is present, users may have access to events which they should not be able to see based on the sharing settings of the category options. The events will not appear in the user interface for web-based Tracker Capture or Capture applications, but if the Android Capture App is used they will be displayed to the user. Versions 2.36.13, 2.37.8, 2.38.2, and 2.39.0 contain a fix for this issue. No workaround is known.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/09/2023
The vulnerability described in CVE-2023-32060 affects the DHIS2 (District Health Information System 2) platform, a widely used open-source information system for health data capture and management. This security flaw exists within the service layer and Web API components of DHIS2, specifically impacting versions from the 2.35 branch through prior releases of the 2.36, 2.37, 2.38, and 2.39 series. The issue stems from improper implementation of access control mechanisms when Category Option Combination Sharing settings are configured to restrict access to specific tracker program events or program stages. This represents a critical authorization bypass vulnerability that undermines the system's data protection framework.
The technical flaw manifests in the `/trackedEntityInstances` and `/events` API endpoints which fail to properly enforce sharing restrictions when category option combinations are configured with specific access controls. The vulnerability occurs because the system does not adequately validate user permissions against the category option combination sharing settings during API response generation. This allows authenticated users to potentially access program events and tracker data that should be restricted based on their assigned category option combinations. The flaw specifically impacts the API layer's filtering mechanisms, where the system retrieves and returns data without properly applying the configured sharing constraints.
The operational impact of this vulnerability is significant for healthcare organizations relying on DHIS2 for sensitive health data management. Users who should be restricted from viewing certain program events due to their category option combination sharing settings can access unauthorized data through API calls, creating potential data breaches and privacy violations. The vulnerability is particularly concerning because while the web-based Tracker Capture and Capture applications properly hide restricted events from the user interface, the Android Capture App displays these unauthorized events, creating a discrepancy in access control enforcement. This inconsistency means that mobile data collection activities could expose sensitive information to unauthorized personnel, undermining the integrity of health data collection processes.
The vulnerability aligns with CWE-284 (Improper Access Control) and represents a failure in the principle of least privilege enforcement within the DHIS2 platform. From an ATT&CK perspective, this issue maps to T1078 (Valid Accounts) and T1566 (Phishing) as it could enable unauthorized access to sensitive health information through legitimate API access channels. The lack of known workarounds means that organizations must upgrade to the patched versions 2.36.13, 2.37.8, 2.38.2, and 2.39.0 to remediate the issue. Security teams should prioritize this vulnerability assessment and remediation, particularly in environments where mobile data collection is prevalent, as the Android Capture App exposure creates additional attack surface. Organizations should also implement monitoring for unauthorized API access patterns and conduct comprehensive access control reviews to ensure proper implementation of sharing settings across their DHIS2 deployments.