Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2024-52007
Good to know:
Date: November 8, 2024
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 & #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Language: Java
Severity Score
Related Resources (9)
Severity Score
Weakness Type (CWE)
Improper Restriction of XML External Entity Reference ('XXE')
CWE-611Top Fix
Upgrade Version
Upgrade to version ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may:6.4.0, ca.uhn.hapi.fhir:org.hl7.fhir.dstu3:6.4.0, ca.uhn.hapi.fhir:org.hl7.fhir.r4:6.4.0, ca.uhn.hapi.fhir:org.hl7.fhir.r4b:6.4.0, ca.uhn.hapi.fhir:org.hl7.fhir.r5:6.4.0, ca.uhn.hapi.fhir:org.hl7.fhir.utilities:6.4.0
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | CHANGED |
| Confidentiality (C): | HIGH |
| Integrity (I): | NONE |
| Availability (A): | NONE |