GHSA-67f6-c8mx-4q2m

Suggest an improvement
Source
https://github.com/advisories/GHSA-67f6-c8mx-4q2m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-67f6-c8mx-4q2m/GHSA-67f6-c8mx-4q2m.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-67f6-c8mx-4q2m
Aliases
Published
2021-06-16T17:21:11Z
Modified
2023-11-01T04:55:23.144025Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Uncontrolled Resource Consumption in JPA Server in HAPI FHIR
Details

JPA Server in HAPI FHIR before 5.4.0 allows a user to deny service (e.g., disable access to the database after the attack stops) via history requests. This occurs because of a SELECT COUNT statement that requires a full index scan, with an accompanying large amount of server resources if there are many simultaneous history requests.

Database specific
{
    "nvd_published_at": "2021-05-10T21:15:00Z",
    "github_reviewed_at": "2021-05-19T19:47:05Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-400"
    ]
}
References

Affected packages

Maven / ca.uhn.hapi.fhir:hapi-fhir-jpaserver-base

Package

Name
ca.uhn.hapi.fhir:hapi-fhir-jpaserver-base
View open source insights on deps.dev
Purl
pkg:maven/ca.uhn.hapi.fhir/hapi-fhir-jpaserver-base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.4.0

Affected versions

0.*

0.9

1.*

1.0
1.1
1.2
1.3
1.4
1.5
1.6

2.*

2.0
2.1
2.2
2.3
2.4
2.5

3.*

3.0.0
3.1.0
3.2.0
3.3.0
3.4.0
3.5.0
3.6.0
3.7.0
3.8.0

4.*

4.0.0
4.0.1
4.0.2
4.0.3
4.1.0
4.2.0

5.*

5.0.0
5.0.1
5.0.2
5.1.0
5.2.0
5.2.1
5.3.0
5.3.2
5.3.3