CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Products
HL7 FHIR Core Artifacts repository
- before 6.3.23
Source
security-advisories@github.com
Tags
CVE-2024-45294 details
Last Modified : Sept. 6, 2024, 5:15 p.m.
Description
The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (including validator), for the Fast Healthcare Interoperability Resources (FHIR) specification. Prior to version 6.3.23, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This issue has been patched in release 6.3.23. No known workarounds are available.
CVSS Score
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8.6 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-611 | Improper Restriction of XML External Entity Reference | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
Base Score
8.6
Exploitability Score
3.9
Impact Score
4.0
Base Severity
HIGH
Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
References
| URL | Source |
|---|---|
| https://github.com/HL7/fhir-ig-publisher/releases/tag/1.6.22 | security-advisories@github.com |
| https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-59rq-22fm-x8q5 | security-advisories@github.com |
| https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.3.23 | security-advisories@github.com |
| https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf | security-advisories@github.com |