CVE-2024-52807 – org.hl7.fhir.publisher:org.hl7.fhir.publisher.core

Package

Manager: maven
Name: org.hl7.fhir.publisher:org.hl7.fhir.publisher.core
Vulnerable Version: >=0 <1.7.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

EPSS: 0.00088 pctl0.26105

Details

XXE vulnerability in XSLT parsing in `org.hl7.fhir.publisher` ### Impact XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.publisher is being used to within a host where external clients can submit XML. A previous release provided an incomplete solution revealed by new testing. ### Patches This issue has been patched as of version 1.7.4 ### Workarounds None ### References [Previous Advisory for Incomplete solution](https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-59rq-22fm-x8q5) [MITRE CWE](https://cwe.mitre.org/data/definitions/611.html) [OWASP XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory)

Metadata

Created: 2025-01-24T18:33:29Z
Modified: 2025-01-24T21:40:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-8c3x-hq82-gjcm/GHSA-8c3x-hq82-gjcm.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-8c3x-hq82-gjcm
Finding: F083
Auto approve: 1