{"id":"CVE-2021-32053","details":"JPA Server in HAPI FHIR before 5.4.0 allows a user to deny service (e.g., disable access to the database after the attack stops) via history requests. This occurs because of a SELECT COUNT statement that requires a full index scan, with an accompanying large amount of server resources if there are many simultaneous history requests.","aliases":["GHSA-67f6-c8mx-4q2m"],"modified":"2026-05-30T21:59:47.270924Z","published":"2021-05-10T21:15:07.883Z","references":[{"type":"ADVISORY","url":"https://github.com/hapifhir/hapi-fhir/issues/2641"},{"type":"ADVISORY","url":"https://hapifhir.io"},{"type":"FIX","url":"https://github.com/hapifhir/hapi-fhir/pull/2642"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hapifhir/hapi-fhir","events":[{"introduced":"0"},{"fixed":"8b4ab586ba5f78b34656716a5d09063bad0664fb"}],"database_specific":{"cpe":"cpe:2.3:a:fhir:hapi_fhir:*:*:*:*:*:*:*:*","source":"CPE_RANGE","extracted_events":[{"introduced":"0"},{"fixed":"5.4.0"}]}}],"versions":["v5.3.0","v5.2.0","v5.1.0","v5.0.1","v5.0.0","v4.2.0","v4.0.0","v3.8.0","v3.7.0","v3.6.0","v3.2.0","v3.0.0","v2.5","v2.3","v2.2","v2.1","v2.0","v1.6","v1.5","v1.4","v1.2","v1.1","v0.9","v0.8","v0.6","v0.5","v0.4"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-32053.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}