CVE-2024-52007

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-52007
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 & #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

8.6 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j
https://cwe.mitre.org/data/definitions/611.html
https://github.com/hapifhir/org.hl7.fhir.core/issues/1571
https://github.com/hapifhir/org.hl7.fhir.core/pull/1717
https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf
https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-gr3c-q7xf-47vh
Configurations

No configuration.

History

12 Nov 2024, 13:56

Type Values Removed Values Added
Summary
  • (es) HAPI FHIR es una implementación completa del estándar HL7 FHIR para la interoperabilidad de la atención médica en Java. El análisis XSLT realizado por varios componentes es vulnerable a las inyecciones de entidades externas XML. Un archivo XML procesado con una etiqueta DTD maliciosa ( ]&gt; podría producir XML que contenga datos del sistema host. Esto afecta los casos de uso en los que se utiliza org.hl7.fhir.core dentro de un host donde los clientes externos pueden enviar XML. Esto está relacionado con GHSA-6cr6-ph3p-f5rf, en el que su corrección (#1571 y #1717) estaba incompleta. Este problema se ha solucionado en la versión de lanzamiento 6.4.0 y se recomienda a todos los usuarios que actualicen. No existen workarounds para esta vulnerabilidad.

08 Nov 2024, 23:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-11-08 23:15

Updated : 2024-11-12 13:56

NVD link : CVE-2024-52007

Mitre link : CVE-2024-52007

CVE.ORG link : CVE-2024-52007

JSON object : View

Products Affected

No product.

CWE
CWE-611

Improper Restriction of XML External Entity Reference