Go to the main page

Known DHIS2 Vulnerabilities (CVEs)

On this page you can find a list of known, fixed, disclosed security vulnerabilities in past DHIS2 releases

Jump to a section on this page

    List of known vulnerabilities (CVEs)

    The DHIS2 security team participates in responsible disclosure. When vulnerabilities are discovered in released, supported versions of DHIS2, the team makes every effort to evaluate, address, and release fixes in a timely manner. Due to the sensitive nature of many DHIS2 implementations around the world, information relating to these vulnerabilities may be embargoed for some period of time. Eventually, the DHIS2 team endeavors to disclose any known vulnerabilities in older software versions once they have been fixed and sufficient time has passed to allow production DHIS2 implementations to upgrade their software.

    The following is a list of known, fixed, disclosed security vulnerabilities in past DHIS2 releases:

    VulnerabilitySeverityAffected VersionsFix Versions
    SQL Injection in DHIS2 Tracker API
    (CVE-2021-32704)
    High
    CVSS Base Score: 8.5
    CVSS Overall Score: 7.7
    2.34.4
    2.35.2, 2.35.3, 2.35.4
    2.36.0
    2.34.5
    2.35.5
    2.36.1
    SQL Injection in DHIS2 Tracker API (assignedUsers and escapeSql)
    (CVE-2021-39179)
    Moderate2.32, 2.33, 2.35, 2.362.32-EOS
    2.33-EOS
    2.35.7
    2.36.4
    SQL Injection in DHIS2 Tracker API (events and TEIs)
    (CVE-2021-41187)
    Moderate2.32,2.33,2.34,2.35,2.362.32-EOS
    2.33-EOS
    2.34.7
    2.35.8
    2.36.4