CVE-2022-24848 is a medium-severity SQL injection vulnerability affecting the DHIS2 platform, specifically the dhis2-core component. DHIS2 is widely used as an information system for data capture, management, validation, analytics, and visualization, often in public health and governmental organizations. The vulnerability exists in the `/api/programs/orgUnits?programs=` API endpoint in DHIS2 versions prior to 2.36.10.1 and between 2.37 and 2.37.6. This endpoint improperly neutralizes special elements used in SQL commands, allowing an authenticated user to inject malicious SQL code. Exploitation requires the attacker to be logged in to the DHIS2 system, meaning it is not accessible to unauthenticated users or casual visitors. The attack vector demands a conscious, malicious action by an authenticated user, which reduces the risk of accidental exploitation or automated mass attacks. However, a successful exploit could allow the attacker to read, modify, or delete data within the DHIS2 database, compromising confidentiality, integrity, and availability of critical data. This could have severe consequences given DHIS2's role in managing sensitive health and organizational data. Security patches addressing this vulnerability are available in DHIS2 versions 2.36.10.1 and 2.37.6.1. Until patches are applied, mitigations at the web proxy level can help reduce risk by filtering or blocking malicious payloads targeting the vulnerable API endpoint. No known exploits have been reported in the wild to date, but the potential impact warrants prompt remediation.

For European organizations using DHIS2, particularly in healthcare, public health, and governmental sectors, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of sensitive health data, manipulation or deletion of critical program and organizational unit data, and disruption of data analytics and reporting functions. This could undermine public health monitoring, disease surveillance, and resource allocation efforts. Given the GDPR and other data protection regulations in Europe, a breach resulting from this vulnerability could also lead to regulatory penalties and reputational damage. The requirement for authenticated access limits the attack surface but insider threats or compromised credentials could enable exploitation. The impact on data integrity and availability could disrupt operational continuity and decision-making processes dependent on DHIS2 data.

1. Apply the official security patches by upgrading DHIS2 to version 2.36.10.1 or 2.37.6.1 or later immediately to remediate the vulnerability. 2. Implement web proxy-level mitigations as recommended in the DHIS2 GitHub Security Advisory to filter or block malicious SQL injection payloads targeting the vulnerable API endpoint. 3. Enforce strict access controls and monitor user activity within DHIS2 to detect anomalous behavior indicative of exploitation attempts. 4. Use multi-factor authentication (MFA) to reduce the risk of credential compromise for DHIS2 users. 5. Conduct regular security audits and penetration testing focused on API endpoints to identify and remediate injection vulnerabilities proactively. 6. Maintain comprehensive logging and alerting on database queries and API usage to facilitate rapid incident response. 7. Educate DHIS2 users about the risks of SQL injection and the importance of secure credential management to mitigate insider threats.