Impact
We discovered that Personal Access Tokens (PATs), introduced in version 2.37, generate unrestricted session cookies. This may lead to a bypass of other access restrictions (for example, based on allowed IP addresses or HTTP methods).
Patches
DHIS2 implementers should upgrade to a supported version of DHIS2: 2.37.9.1, 2.38.3.1, or 2.39.1.2.
Workarounds
You can workaround this issue by adding extra access control validations on a reverse proxy.
For more information
If you have any questions or comments about this advisory, please email us at [email protected].
References
Impact
We discovered that Personal Access Tokens (PATs), introduced in version 2.37, generate unrestricted session cookies. This may lead to a bypass of other access restrictions (for example, based on allowed IP addresses or HTTP methods).
Patches
DHIS2 implementers should upgrade to a supported version of DHIS2: 2.37.9.1, 2.38.3.1, or 2.39.1.2.
Workarounds
You can workaround this issue by adding extra access control validations on a reverse proxy.
For more information
If you have any questions or comments about this advisory, please email us at [email protected].
References