How severe is CVE-2022-39230?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2022-39230?

This is classified as CWE-200, which is a common weakness in software security.

CVE-2022-39230 - MEDIUM Severity | CVSS 6.5

Vulnerability Description

fhir-works-on-aws-authz-smart is an implementation of the authorization interface from the FHIR Works interface. Versions 3.1.1 and 3.1.2 are subject to Exposure of Sensitive Information to an Unauthorized Actor. This issue allows a client of the API to retrieve more information than the client’s OAuth scope permits when making “search-type” requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access. Users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 should upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected. There is no workaround for this issue.

Related Vulnerabilities

CVE-2008-3474

MEDIUM

CVSS:6.5(Medium)

Microsoft Internet Explorer 6 and 7 does not properly determine the domain or security zone of origin of web script, which allows remote attackers to bypass the intended cross-domain security policy a...

CWE-2002008

CVE-2008-5083

MEDIUM

CVSS:6.5(Medium)

In JON 2.1.x before 2.1.2 SP1, users can obtain unauthorized security information about private resources managed by JBoss ON.

CWE-2002008

CVE-2010-0488

MEDIUM

CVSS:6.5(Medium)

Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, and 7 does not properly handle unspecified "encoding strings," which allows remote attackers to bypass the Same Origin Policy and obtain sensitive infor...

CWE-2002010

CVE-2010-3330

MEDIUM

CVSS:6.5(Medium)

Microsoft Internet Explorer 6 through 8 does not properly restrict script access to content from a different (1) domain or (2) zone, which allows remote attackers to obtain sensitive information via a...

CWE-2002010

CVE-2010-3664

MEDIUM

CVSS:6.5(Medium)

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Information Disclosure on the backend.

CWE-2002010

CVE-2010-3917

MEDIUM

CVSS:6.5(Medium)

Google Chrome before 3.0 does not properly handle XML documents, which allows remote attackers to obtain sensitive information via a crafted web site.

CWE-2002010