{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-55887", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-12-12T15:00:38.902Z", "datePublished": "2024-12-13T16:08:55.658Z", "dateUpdated": "2024-12-13T17:06:54.775Z"}, "containers": {"cna": {"title": "Ucum-java has an XXE vulnerability in XML parsing", "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "lang": "en", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/FHIR/Ucum-java/security/advisories/GHSA-w9j7-phm3-f97j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/FHIR/Ucum-java/security/advisories/GHSA-w9j7-phm3-f97j"}], "affected": [{"vendor": "FHIR", "product": "Ucum-java", "versions": [{"version": "< 1.0.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-13T16:08:55.658Z"}, "descriptions": [{"lang": "en", "value": "Ucum-java is a FHIR Java library providing UCUM Services. In versions prior to 1.0.9, XML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where ucum is being used to within a host where external clients can submit XML. Release 1.0.9 of Ucum-java fixes this vulnerability. As a workaround, ensure that the source xml for instantiating UcumEssenceService is trusted."}], "source": {"advisory": "GHSA-w9j7-phm3-f97j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-13T17:06:02.821909Z", "id": "CVE-2024-55887", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-13T17:06:54.775Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-55887", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-13T17:06:02.821909Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-13T17:06:41.806Z"}}], "cna": {"title": "Ucum-java has an XXE vulnerability in XML parsing", "source": {"advisory": "GHSA-w9j7-phm3-f97j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "FHIR", "product": "Ucum-java", "versions": [{"status": "affected", "version": "< 1.0.9"}]}], "references": [{"url": "https://github.com/FHIR/Ucum-java/security/advisories/GHSA-w9j7-phm3-f97j", "name": "https://github.com/FHIR/Ucum-java/security/advisories/GHSA-w9j7-phm3-f97j", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Ucum-java is a FHIR Java library providing UCUM Services. In versions prior to 1.0.9, XML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where ucum is being used to within a host where external clients can submit XML. Release 1.0.9 of Ucum-java fixes this vulnerability. As a workaround, ensure that the source xml for instantiating UcumEssenceService is trusted."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-13T16:08:55.658Z"}}}, "cveMetadata": {"cveId": "CVE-2024-55887", "state": "PUBLISHED", "dateUpdated": "2024-12-13T17:06:54.775Z", "dateReserved": "2024-12-12T15:00:38.902Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-12-13T16:08:55.658Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Ucum-java is a FHIR Java library providing UCUM Services. In versions prior to 1.0.9, XML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where ucum is being used to within a host where external clients can submit XML. Release 1.0.9 of Ucum-java fixes this vulnerability. As a workaround, ensure that the source xml for instantiating UcumEssenceService is trusted."}], "id": "CVE-2024-55887", "lastModified": "2024-12-13T16:15:28.063", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-12-13T16:15:28.063", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/FHIR/Ucum-java/security/advisories/GHSA-w9j7-phm3-f97j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "ucum: Ucum-java has an XXE vulnerability in XML parsing", "id": "2332304", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2332304"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-611", "details": ["Ucum-java is a FHIR Java library providing UCUM Services. In versions prior to 1.0.9, XML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where ucum is being used to within a host where external clients can submit XML. Release 1.0.9 of Ucum-java fixes this vulnerability. As a workaround, ensure that the source xml for instantiating UcumEssenceService is trusted.", "A flaw was found in the ucum-java library for FHIR. XML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where ucum is being used within a host where external clients can submit XML."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-55887", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "org.fhir/ucum", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "org.fhir/ucum", "product_name": "Red Hat Integration Camel K 1"}], "public_date": "2024-12-13T16:08:55Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-55887\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-55887\nhttps://github.com/FHIR/Ucum-java/security/advisories/GHSA-w9j7-phm3-f97j"], "statement": "The FHIR component is not supported in Red Hat Fuse 7 and Red Hat Integration Camel K, so these products are not affected by this vulnerability.\nThis vulnerability is of important severity because it enables XML External Entity (XXE) injection, a important issue that can lead to unauthorized access to sensitive data and system compromise. By exploiting improperly configured XML parsers, an attacker can craft malicious XML containing external entities or DTD references to read arbitrary files on the server, such as `/etc/passwd` or configuration files, potentially exposing credentials or system secrets. Additionally, XXE can facilitate Server-Side Request Forgery (SSRF), allowing attackers to interact with internal systems or services, leading to further lateral movement. Given that the affected `UcumEssenceService` may process externally submitted XML files, the exposure surface is significant, especially in environments where user input cannot be fully trusted.", "threat_severity": "Important"}

{}