Headline
GHSA-vv7x-7w4m-q72f: fhir-works-on-aws-authz-smart handles permissions improperly
Impact
This issue allows a client of the API to retrieve more information than the client’s OAuth scope permits when making “search-type” requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access.
Patches
We recommend that users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected.
Workarounds
There is no workaround for this issue. Please upgrade fhir-works-on-aws-authz-smart to version 3.1.3 or higher.
References
https://github.com/awslabs/fhir-works-on-aws-deployment https://github.com/awslabs/fhir-works-on-aws-authz-smart
For more information
If you have any questions or comments about this advisory:
Email us at [email protected]
Package
npm fhir-works-on-aws-authz-smart (npm)
Affected versions
>= 3.1.1, < 3.1.3
Patched versions
3.1.3
Description
Impact
This issue allows a client of the API to retrieve more information than the client’s OAuth scope permits when making “search-type” requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access.
Patches
We recommend that users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected.
Workarounds
There is no workaround for this issue. Please upgrade fhir-works-on-aws-authz-smart to version 3.1.3 or higher.
References
https://github.com/awslabs/fhir-works-on-aws-deployment
https://github.com/awslabs/fhir-works-on-aws-authz-smart
For more information
If you have any questions or comments about this advisory:
Email us at [email protected]
References
- GHSA-vv7x-7w4m-q72f
- awslabs/fhir-works-on-aws-authz-smart@203bbc0
wsc published the maintainer security advisory
Sep 20, 2022
Severity
Moderate
6.5
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses
CWE-281
CVE ID
CVE-2022-39230
GHSA ID
GHSA-vv7x-7w4m-q72f
Source code
awslabs/fhir-works-on-aws-authz-smart
Checking history
See something to contribute? Suggest improvements for this vulnerability.
Related news
fhir-works-on-aws-authz-smart is an implementation of the authorization interface from the FHIR Works interface. Versions 3.1.1 and 3.1.2 are subject to Exposure of Sensitive Information to an Unauthorized Actor. This issue allows a client of the API to retrieve more information than the client’s OAuth scope permits when making “search-type� requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access. Users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 should upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected. There is no workaround for this issue.