CVE-2022-39230

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-39230

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39230.json

Aliases

GHSA-vv7x-7w4m-q72f

Published

2022-09-23T07:15:09Z

Modified

2023-11-29T09:49:16.206979Z

Details

fhir-works-on-aws-authz-smart is an implementation of the authorization interface from the FHIR Works interface. Versions 3.1.1 and 3.1.2 are subject to Exposure of Sensitive Information to an Unauthorized Actor. This issue allows a client of the API to retrieve more information than the client’s OAuth scope permits when making “search-type” requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access. Users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 should upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected. There is no workaround for this issue.

References

https://github.com/awslabs/fhir-works-on-aws-authz-smart/security/advisories/GHSA-vv7x-7w4m-q72f

Affected packages

Git / github.com/awslabs/fhir-works-on-aws-authz-smart

Affected ranges

Type: GIT
Repo: https://github.com/awslabs/fhir-works-on-aws-authz-smart
Events: Introduced

96564791ca35f4ca96e1ae19b8184a18aa0bf449

Fixed

64f6a298a53ef9a9cc8417ee2d7d22632f79763d

Affected versions

v3.*

v3.1.0

v3.1.1

v3.1.2