Miggo Logo
Miggo Vulnerability Database
CVE-2021-32053

CVE-2021-32053: Uncontrolled Resource Consumption in JPA Server in HAPI FHIR

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-32053
GHSA ID
GHSA-67f6-c8mx-4q2m
EPSS Score
0.62788%
CWE
CWE-400
Published
6/16/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
ca.uhn.hapi.fhir:hapi-fhir-jpaserver-basemaven< 5.4.05.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from expensive COUNT queries in history operations. The key evidence is in PersistedJpaBundleProvider where the calculateHistoryCount() method was modified to add caching. The pre-patch version would execute a direct COUNT query through historyBuilder.fetchCount() without throttling or caching, which matches the CVE description of uncontrolled resource consumption through simultaneous history requests. The added cache and HistoryCountModeEnum in the patches directly address this vulnerability by preventing redundant COUNT operations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

JP* S*rv*r in **PI **IR ***or* *.*.* *llows * us*r to **ny s*rvi** (*.*., *is**l* ****ss to t** **t***s* **t*r t** *tt**k stops) vi* *istory r*qu*sts. T*is o**urs ****us* o* * S*L**T *OUNT st*t*m*nt t**t r*quir*s * *ull in**x s**n, wit* *n ***omp*nyi

Reasoning

T** vuln*r**ility st*ms *rom *xp*nsiv* `*OUNT` qu*ri*s in *istory op*r*tions. T** k*y *vi**n** is in `P*rsist**Jp**un*l*Provi**r` w**r* t** `**l*ul*t**istory*ount()` m*t*o* w*s mo*i*i** to *** ****in*. T** pr*-p*t** v*rsion woul* *x**ut* * *ir**t `*O