HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 & #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
History

Sat, 16 Nov 2024 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat apache Camel Spring Boot
CPEs cpe:/a:redhat:apache_camel_spring_boot:4.4.4
Vendors & Products Redhat
Redhat apache Camel Spring Boot

Tue, 12 Nov 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Hapifhir
Hapifhir hl7 Fhir Core
CPEs cpe:2.3:a:hapifhir:hl7_fhir_core:*:*:*:*:*:*:*:*
Vendors & Products Hapifhir
Hapifhir hl7 Fhir Core
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 12 Nov 2024 01:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Fri, 08 Nov 2024 22:45:00 +0000

Type Values Removed Values Added
Description HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 & #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Title XXE vulnerability in XSLT parsing in `org.hl7.fhir.core`
Weaknesses CWE-611
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-11-08T22:28:20.169Z

Updated: 2024-11-12T18:47:14.559Z

Reserved: 2024-11-04T17:46:16.779Z

Link: CVE-2024-52007

cve-icon Vulnrichment

Updated: 2024-11-12T18:47:09.555Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-08T23:15:04.757

Modified: 2024-11-12T13:56:54.483

Link: CVE-2024-52007

cve-icon Redhat

Severity : Important

Publid Date: 2024-11-08T22:28:20Z

Links: CVE-2024-52007 - Bugzilla