CVE-2021-32053: Uncontrolled Resource Consumption

June 16, 2021

JPA Server in HAPI FHIR before 5.4.0 allows a user to deny service (e.g., disable access to the database after the attack stops) via history requests. This occurs because of a SELECT COUNT statement that requires a full index scan, with an accompanying large amount of server resources if there are many simultaneous history requests.

References

github.com/advisories/GHSA-67f6-c8mx-4q2m
github.com/hapifhir/hapi-fhir/issues/2641
github.com/hapifhir/hapi-fhir/pull/2642
nvd.nist.gov/vuln/detail/CVE-2021-32053

Detect and mitigate CVE-2021-32053 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →