Api/metadata call returns username - Vulnerability, Acceptance & Penetration Test (VAPT)

Support - Assistance technique
1

DHIS2v -2.40. Tomcat version 9.x. I am a new user of DHIS. We are undergoing a VAPT test. They have reported that api/metadata call returns username which is a high risk. What we have tried: -

  1. Filter: But filter won’t work as they are directly calling api/metadata which spits all of the usernames along with all the information
  2. Removed “View User” from “Selected system authorities” via user role assigned to the user - this didn’t work
  3. There were different options given by “Ask AI” the AI bot of DHIS, it didn’t work

Sample api/metadata response(relevant part of the response) which contains username: -
“programs”: [
{
“name”: “Test”,
“created”: “2023-06-05T09:26:36.996”,
“lastUpdated”: “2023-08-19T05:51:03.584”,
“translations”: ,
“createdBy”: {
“id”: “xyz”,
“code”: null,
“name”: “Test xyz”,
“displayName”: “xyz”,
“username”: “xyz@ijk.com
},
“lastUpdatedBy”: {
“id”: “xPF7H2KXq9p”,
“code”: null,
“name”: “Test User”,
“displayName”: “Test abc”,
“username”: “admin”
}
“user”: {
“id”: “xyz”,
“code”: null,
“name”: “Test User”,
“displayName”: “Test User”,
“username”: “xyz@abc.com
}
}
]
How to remove username form the response of the api/metadata is the question? Can we grant/remove any specific access to a user so that username information is not displayed
Looking out for support on this one, thanks.

2

Welcome to the community!

It appears that you are giving the user the “Export metadata” authority which gives the user the ability to access all the metadata. The metadata returned normally returns the ‘createdBy’ and other important information related to the metadata.

Would you share more information and details about the user’s role? Without knowing the role of the user, it’s not easy to determine which authorities and maybe a proper workaround, but it seems to be that this user shouldn’t have the ‘Export metadata’ authority in the first place. :thinking:

3

Thanks for the inputs!! Appreciate your response. Btw removing “Export Metadata” didn’t work. Providing you with the screen shot if in case that helps.

image
image614×799 72.6 KB

image
image401×438 29.9 KB

1 Like
4

Thanks! But you are giving all the other authorities to this user which probably is the reason why you’d still get the same result. We need to work on the assumption that the authority shouldn’t be given unless needed for the role.