Semi-blind Server-Side Request Forgery in dhis2-core

Vulnerability

An authenticated DHIS2 user can craft a request to the server that instructs it to make arbitrary HTTP requests to external resources (e.g., third-party servers). This Server-Side Request Forgery (SSRF) vulnerability affects versions prior to the hotfix releases: 2.36.12.1, 2.37.8.1, 2.38.2.1, and 2.39.0.1 [1][2]. The vulnerability resides in the API, where input is not sufficiently validated or restricted, allowing the server to act as a proxy for the attacker's requests.

Exploitation

To exploit this, an attacker must have a valid DHIS2 user account. With such access, they can send a specially crafted request to DHIS2, causing the server to make HTTP requests to arbitrary URLs. The vulnerability is essentially a semi-blind SSRF; the attacker may not receive the full response body, but can infer information based on response timing, status codes, or error messages [2]. No additional privileges or user interaction beyond authentication are required.

Impact

An attacker can use this to scan for vulnerable internal services that are not exposed to the public internet, or to determine whether specific files or resources exist on the DHIS2 server [2]. This can lead to information disclosure and reconnaissance of the internal network, potentially facilitating further attacks. The privilege level required is that of an authenticated user, and the scope is limited to outbound requests from the server, not direct access to internal resources beyond their availability detection.

Mitigation

DHIS2 administrators should upgrade to the following hotfix releases: 2.36.12.1, 2.37.8.1, 2.38.2.1, and 2.39.0.1 [1][2]. As of the advisory date (2022-12-08), there is no known workaround or mitigation for this vulnerability [2]. The fix involves merging security advisories into those specific versions [1].