Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-39230: Security issue in fhir-works-on-aws-authz-smart

fhir-works-on-aws-authz-smart is an implementation of the authorization interface from the FHIR Works interface. Versions 3.1.1 and 3.1.2 are subject to Exposure of Sensitive Information to an Unauthorized Actor. This issue allows a client of the API to retrieve more information than the client’s OAuth scope permits when making “search-type� requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access. Users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 should upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected. There is no workaround for this issue.

CVE
#amazon#git#oauth#auth

Impact

This issue allows a client of the API to retrieve more information than the client’s OAuth scope permits when making “search-type” requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access.

Patches

We recommend that users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected.

Workarounds

There is no workaround for this issue. Please upgrade fhir-works-on-aws-authz-smart to version 3.1.3 or higher.

References

https://github.com/awslabs/fhir-works-on-aws-deployment
https://github.com/awslabs/fhir-works-on-aws-authz-smart

For more information

If you have any questions or comments about this advisory:

Email us at [email protected]

Related news

GHSA-vv7x-7w4m-q72f: fhir-works-on-aws-authz-smart handles permissions improperly

### Impact This issue allows a client of the API to retrieve more information than the client’s OAuth scope permits when making “search-type” requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access. ### Patches We recommend that users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected. ### Workarounds There is no workaround for this issue. Please upgrade fhir-works-on-aws-authz-smart to version 3.1.3 or higher. ### References https://github.com/awslabs/fhir-works-on-aws-deployment https://github.com/awslabs/fhir-works-on-aws-authz-smart ### For more information If you have any questions or comments about this advisory: Email us at [[email protected]](mailto:[email protected])

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907