The DHIS2 Annual Conference will take place from 12-15 June! Learn More & Register
Known DHIS2 Vulnerabilities (CVEs)
On this page you can find a list of known, fixed, disclosed security vulnerabilities in past DHIS2 releases
List of known vulnerabilities (CVEs)
The DHIS2 security team participates in responsible disclosure. When vulnerabilities are discovered in released, supported versions of DHIS2, the team makes every effort to evaluate, address, and release fixes in a timely manner. Due to the sensitive nature of many DHIS2 implementations around the world, information relating to these vulnerabilities may be embargoed for some period of time. Eventually, the DHIS2 team endeavors to disclose any known vulnerabilities in older software versions once they have been fixed and sufficient time has passed to allow production DHIS2 implementations to upgrade their software.
The following is a list of known, fixed, disclosed security vulnerabilities in past DHIS2 releases:
| Vulnerability | Severity | Affected Versions | Fix Versions |
|---|---|---|---|
| SQL Injection in DHIS2 Tracker API (CVE-2021-32704) | High CVSS Base Score: 8.5 CVSS Overall Score: 7.7 | 2.34.4 2.35.2, 2.35.3, 2.35.4 2.36.0 | 2.34.5 2.35.5 2.36.1 |
| SQL Injection in DHIS2 Tracker API (assignedUsers and escapeSql) (CVE-2021-39179) | Moderate | 2.32, 2.33, 2.35, 2.36 | 2.32-EOS 2.33-EOS 2.35.7 2.36.4 |
| SQL Injection in DHIS2 Tracker API (events and TEIs) (CVE-2021-41187) | Moderate | 2.32,2.33,2.34,2.35,2.36 | 2.32-EOS 2.33-EOS 2.34.7 2.35.8 2.36.4 |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in OrgUnit program association | High CVSS Base Score: 8.8 | 2.36,2.37 | 2.36.10.1 2.37.6.1 |