CVE-2023-31139— DHIS2 Core unrestricted session cookies with Personal Access Tokens
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-31139
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
DHIS2 Core unrestricted session cookies with Personal Access Tokens
Source: NVD (National Vulnerability Database)
Vulnerability Description
DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.37 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, Personal Access Tokens (PATs) generate unrestricted session cookies. This may lead to a bypass of other access restrictions (for example, based on allowed IP addresses or HTTP methods). DHIS2 implementers should upgrade to a supported version of DHIS2: 2.37.9.1, 2.38.3.1, or 2.39.1.2. Implementers can work around this issue by adding extra access control validations on a reverse proxy.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
不充分的会话过期机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
DHIS 2 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
DHIS 2是一个应用软件。一个灵活的信息系统,用于数据捕获、管理、验证、分析和可视化。 DHIS 2 2.37.9.1之前版本、2.38.3.1 之前版本和 2.39.1.2 之前版本存在代码问题漏洞,该漏洞源于个人访问令牌 (PAT) 会生成不受限制的会话 cookie,这可能会绕过其他访问限制。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| dhis2 | dhis2-core | >= 2.37, < 2.37.9.1 | - |
II. Public POCs for CVE-2023-31139
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-31139
请登录查看更多情报信息。
- https://github.com/dhis2/dhis2-core/security/advisories/GHSA-44g3-9mp4-prv3x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2023-31139
Same Patch Batch · dhis2 · 2023-05-09 · 3 CVEs total
| CVE-2023-31138 | 7.1 HIGH | DHIS2 Core vulnerable to Improper Access Control with PATCH requests |
| CVE-2023-32060 | 6.5 MEDIUM | DHIS2 Core Improper Access Control with Category Option Combination sharing in /api/tracke |
IV. Related Vulnerabilities
Same product: dhis2-core
- CVE-2023-32060
DHIS2 Core Improper Access Control with Category Option Comb - CVE-2023-31138
DHIS2 Core vulnerable to Improper Access Control with PATCH - CVE-2022-41947
Cross-site Scripting with user-uploaded files in dhis2-core - CVE-2022-41948
Privilege Chaining with the user admin role in dhis2-core - CVE-2022-41949
Semi-blind Server-Side Request Forgery in dhis2-core
Same vendor: dhis2
- CVE-2023-32060
DHIS2 Core Improper Access Control with Category Option Comb - CVE-2023-31138
DHIS2 Core vulnerable to Improper Access Control with PATCH - CVE-2022-41947
Cross-site Scripting with user-uploaded files in dhis2-core - CVE-2022-41948
Privilege Chaining with the user admin role in dhis2-core - CVE-2022-41949
Semi-blind Server-Side Request Forgery in dhis2-core
Same weakness: CWE-613
- CVE-2026-41902
FreeScout's user invitation hash never expires: permanent un - CVE-2026-41519
Weblate's API Token Not Invalidated on Password Change - CVE-2026-41891
CI4MS: Deactivated User Session Bypass (active=0) - CVE-2026-40934
jupyter-server authentication cookies remain valid after pas - CVE-2026-42421
OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shar
V. Comments for CVE-2023-31139
No comments yet