An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities.
History

Wed, 13 Nov 2024 02:30:00 +0000


Sat, 09 Nov 2024 02:30:00 +0000

Type Values Removed Values Added
Title org.hl7.fhir.convertors: org.hl7.fhir.dstu2: org.hl7.fhir.dstu2016may: org.hl7.fhir.dstu3: org.hl7.fhir.r4: org.hl7.fhir.r5: org.hl7.fhir.utilities: org.hl7.fhir.validation: org.hl7.fhir.core: arbitrary code execution via specially-crafted request org.hl7.fhir.convertors: org.hl7.fhir.dstu2: org.hl7.fhir.dstu2016may: org.hl7.fhir.dstu3: org.hl7.fhir.r4: org.hl7.fhir.r5: org.hl7.fhir.utilities: org.hl7.fhir.validation: org.hl7.fhir.core: FHIR arbitrary code execution via specially-crafted request

Thu, 07 Nov 2024 02:15:00 +0000

Type Values Removed Values Added
Title org.hl7.fhir.convertors: org.hl7.fhir.dstu2: org.hl7.fhir.dstu2016may: org.hl7.fhir.dstu3: org.hl7.fhir.r4: org.hl7.fhir.r5: org.hl7.fhir.utilities: org.hl7.fhir.validation: org.hl7.fhir.core: arbitrary code execution via specially-crafted request
Weaknesses CWE-601
References
Metrics threat_severity

None

cvssV3_0

{'score': 9.1, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Critical


Wed, 06 Nov 2024 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Fhir
Fhir hapi Fhir
Weaknesses CWE-611
CPEs cpe:2.3:a:fhir:hapi_fhir:*:*:*:*:*:*:*:*
Vendors & Products Fhir
Fhir hapi Fhir
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 05 Nov 2024 17:00:00 +0000

Type Values Removed Values Added
Description An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-11-05T00:00:00

Updated: 2024-11-06T19:23:22.420Z

Reserved: 2024-10-28T00:00:00

Link: CVE-2024-51132

cve-icon Vulnrichment

Updated: 2024-11-06T19:23:15.126Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-05T17:15:07.310

Modified: 2024-11-06T20:35:34.173

Link: CVE-2024-51132

cve-icon Redhat

Severity : Critical

Publid Date: 2024-11-05T00:00:00Z

Links: CVE-2024-51132 - Bugzilla