fhir-works-on-aws-authz-smart handles permissions improperly
Moderate severity
GitHub Reviewed
Published
Sep 20, 2022
in
awslabs/fhir-works-on-aws-authz-smart
•
Updated Jan 27, 2023
Package
Affected versions
>= 3.1.1, < 3.1.3
Patched versions
3.1.3
Description
Published to the GitHub Advisory Database
Sep 21, 2022
Reviewed
Sep 21, 2022
Published by the National Vulnerability Database
Sep 23, 2022
Last updated
Jan 27, 2023
Impact
This issue allows a client of the API to retrieve more information than the client’s OAuth scope permits when making “search-type” requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access.
Patches
We recommend that users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected.
Workarounds
There is no workaround for this issue. Please upgrade fhir-works-on-aws-authz-smart to version 3.1.3 or higher.
References
https://github.com/awslabs/fhir-works-on-aws-deployment
https://github.com/awslabs/fhir-works-on-aws-authz-smart
For more information
If you have any questions or comments about this advisory:
Email us at [email protected]
References