CVE-2023-31138
CVE-2023-31138 is a high-severity vulnerability in Dhis2 Dhis 2 with a CVSS 3.x base score of 7.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-284.
Key facts
- Severity: High (CVSS 3.x base score 7.1)
- EPSS exploit prediction: 1% (45th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-284
- Affected product: Dhis2 Dhis 2
- Published:
- Last modified:
Description
DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.36 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, using object model traversal in the payload of a PATCH request, authenticated users with write access to an object may be able to modify related objects that they should not have access to. DHIS2 implementers should upgrade to a supported version of DHIS2 to receive a patch: 2.37.9.1, 2.38.3.1, or 2.39.1.2. It is possible to work around this issue by blocking all PATCH requests on a reverse proxy, but this may cause some issues with the functionality of built-in applications using legacy PATCH requests.
Frequently asked questions
- What is CVE-2023-31138?
- DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.36 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, using object model traversal in the payload of a PATCH request, authenticated users with write access to an object may be able to modify related objects that they should not have access to. DHIS2 implementers should upgrade to a supported version of DHIS2 to receive a patch: 2.37.9.1, 2.38.3.1, or 2.39.1.2. It is possible to work around this issue by blocking all PATCH requests on a reverse proxy, but this may cause some issues with the functionality of built-in applications using legacy PATCH requests.
- How severe is CVE-2023-31138?
- CVE-2023-31138 has a CVSS 3.x base score of 7.1, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity high, and availability low.
- Is CVE-2023-31138 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (45th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-31138?
- CVE-2023-31138 affects Dhis2 Dhis 2. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-31138?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2023-31138 published?
- CVE-2023-31138 was published on 2023-05-09 and last updated on 2026-06-17.
References
- https://github.com/dhis2/dhis2-core/security/advisories/GHSA-pwvw-4m67-f4g2
- https://github.com/dhis2/dhis2-releases/blob/master/releases/2.37/ReleaseNote-2.37.9.1.md
- https://github.com/dhis2/dhis2-releases/blob/master/releases/2.38/ReleaseNote-2.38.3.1.md
- https://github.com/dhis2/dhis2-releases/blob/master/releases/2.39/ReleaseNote-2.39.1.2.md
Affected products (1)
- cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:*
More vulnerabilities in Dhis2 Dhis 2
- CVE-2022-24848 — High (CVSS 8.8): DHIS2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection…
- CVE-2021-39179 — High (CVSS 8.8): DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL Injection…
- CVE-2021-32704 — High (CVSS 8.5): DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection…
- CVE-2021-41187 — High (CVSS 8.1): DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection…
- CVE-2022-41948 — Medium (CVSS 6.7): DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization.…
- CVE-2023-32060 — Medium (CVSS 6.5): DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the…
All CVEs affecting Dhis2 Dhis 2 →
Other CWE-284 (Improper Access Control) vulnerabilities
- CVE-2026-50746 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi…
- CVE-2026-46978 — Critical (CVSS 10.0): Vulnerability in the Oracle Solaris product of Oracle Systems (component: Remote Administration Daemon). The…
- CVE-2026-35308 — Critical (CVSS 10.0): Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars).…
- CVE-2026-35307 — Critical (CVSS 10.0): Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that…
- CVE-2026-46695 — Critical (CVSS 10.0): Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers…
- CVE-2026-46840 — Critical (CVSS 10.0): Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are…
Browse all CWE-284 (Improper Access Control) vulnerabilities →