Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-vv7x-7w4m-q72f: fhir-works-on-aws-authz-smart handles permissions improperly

Impact

This issue allows a client of the API to retrieve more information than the client’s OAuth scope permits when making “search-type” requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access.

Patches

We recommend that users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected.

Workarounds

There is no workaround for this issue. Please upgrade fhir-works-on-aws-authz-smart to version 3.1.3 or higher.

References

https://github.com/awslabs/fhir-works-on-aws-deployment https://github.com/awslabs/fhir-works-on-aws-authz-smart

For more information

If you have any questions or comments about this advisory:

Email us at [email protected]

ghsa
#vulnerability#amazon#nodejs#git#perl#aws#oauth#auth

Package

npm fhir-works-on-aws-authz-smart (npm)

Affected versions

>= 3.1.1, < 3.1.3

Patched versions

3.1.3

Description

Impact

This issue allows a client of the API to retrieve more information than the client’s OAuth scope permits when making “search-type” requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access.

Patches

We recommend that users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected.

Workarounds

There is no workaround for this issue. Please upgrade fhir-works-on-aws-authz-smart to version 3.1.3 or higher.

References

https://github.com/awslabs/fhir-works-on-aws-deployment
https://github.com/awslabs/fhir-works-on-aws-authz-smart

For more information

If you have any questions or comments about this advisory:

Email us at [email protected]

References

  • GHSA-vv7x-7w4m-q72f
  • awslabs/fhir-works-on-aws-authz-smart@203bbc0

wsc published the maintainer security advisory

Sep 20, 2022

Severity

Moderate

6.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Weaknesses

CWE-281

CVE ID

CVE-2022-39230

GHSA ID

GHSA-vv7x-7w4m-q72f

Source code

awslabs/fhir-works-on-aws-authz-smart

Checking history

See something to contribute? Suggest improvements for this vulnerability.

Related news

CVE-2022-39230: Security issue in fhir-works-on-aws-authz-smart

fhir-works-on-aws-authz-smart is an implementation of the authorization interface from the FHIR Works interface. Versions 3.1.1 and 3.1.2 are subject to Exposure of Sensitive Information to an Unauthorized Actor. This issue allows a client of the API to retrieve more information than the client’s OAuth scope permits when making “search-type� requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access. Users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 should upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected. There is no workaround for this issue.