CVE-2024-52007
Severity CVSS v4.0:
Pending analysis
Type:
CWE-611
Improper Restriction of XML External Entity Reference ('XXE')
Publication date:
08/11/2024
Last modified:
12/11/2024
Description
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 & #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Impact
Base Score 3.x
8.60
Severity 3.x
HIGH
References to Advisories, Solutions, and Tools
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j
- https://cwe.mitre.org/data/definitions/611.html
- https://github.com/hapifhir/org.hl7.fhir.core/issues/1571
- https://github.com/hapifhir/org.hl7.fhir.core/pull/1717
- https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf
- https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-gr3c-q7xf-47vh