HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 & #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Metrics
Affected Vendors & Products
References
History
Tue, 12 Nov 2024 19:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Hapifhir
Hapifhir hl7 Fhir Core |
|
CPEs | cpe:2.3:a:hapifhir:hl7_fhir_core:*:*:*:*:*:*:*:* | |
Vendors & Products |
Hapifhir
Hapifhir hl7 Fhir Core |
|
Metrics |
ssvc
|
Tue, 12 Nov 2024 01:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
| |
Metrics |
threat_severity
|
threat_severity
|
Fri, 08 Nov 2024 22:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 & #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |
Title | XXE vulnerability in XSLT parsing in `org.hl7.fhir.core` | |
Weaknesses | CWE-611 | |
References |
|
|
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-11-08T22:28:20.169Z
Updated: 2024-11-12T18:47:14.559Z
Reserved: 2024-11-04T17:46:16.779Z
Link: CVE-2024-52007
Vulnrichment
Updated: 2024-11-12T18:47:09.555Z
NVD
Status : Awaiting Analysis
Published: 2024-11-08T23:15:04.757
Modified: 2024-11-12T13:56:54.483
Link: CVE-2024-52007
Redhat