Описание
fhir-works-on-aws-authz-smart handles permissions improperly
Impact
This issue allows a client of the API to retrieve more information than the client’s OAuth scope permits when making “search-type” requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access.
Patches
We recommend that users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected.
Workarounds
There is no workaround for this issue. Please upgrade fhir-works-on-aws-authz-smart to version 3.1.3 or higher.
References
https://github.com/awslabs/fhir-works-on-aws-deployment https://github.com/awslabs/fhir-works-on-aws-authz-smart
For more information
If you have any questions or comments about this advisory:
Email us at fhir-works-on-aws-dev@amazon.com
Пакеты
fhir-works-on-aws-authz-smart
>= 3.1.1, < 3.1.3
3.1.3
Связанные уязвимости
fhir-works-on-aws-authz-smart is an implementation of the authorization interface from the FHIR Works interface. Versions 3.1.1 and 3.1.2 are subject to Exposure of Sensitive Information to an Unauthorized Actor. This issue allows a client of the API to retrieve more information than the client’s OAuth scope permits when making “search-type” requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access. Users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 should upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected. There is no workaround for this issue.