{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-52007","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2024-11-04T17:46:16.779Z","datePublished":"2024-11-08T22:28:20.169Z","dateUpdated":"2024-11-12T18:47:14.559Z"},"containers":{"cna":{"title":"XXE vulnerability in XSLT parsing in `org.hl7.fhir.core`","problemTypes":[{"descriptions":[{"cweId":"CWE-611","lang":"en","description":"CWE-611: Improper Restriction of XML External Entity Reference","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.6,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-gr3c-q7xf-47vh","tags":["x_refsource_CONFIRM"],"url":"https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-gr3c-q7xf-47vh"},{"name":"https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf","tags":["x_refsource_MISC"],"url":"https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf"},{"name":"https://github.com/hapifhir/org.hl7.fhir.core/issues/1571","tags":["x_refsource_MISC"],"url":"https://github.com/hapifhir/org.hl7.fhir.core/issues/1571"},{"name":"https://github.com/hapifhir/org.hl7.fhir.core/pull/1717","tags":["x_refsource_MISC"],"url":"https://github.com/hapifhir/org.hl7.fhir.core/pull/1717"},{"name":"https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j","tags":["x_refsource_MISC"],"url":"https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j"},{"name":"https://cwe.mitre.org/data/definitions/611.html","tags":["x_refsource_MISC"],"url":"https://cwe.mitre.org/data/definitions/611.html"}],"affected":[{"vendor":"hapifhir","product":"org.hl7.fhir.core","versions":[{"version":"< 6.4.0","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2024-11-08T22:28:20.169Z"},"descriptions":[{"lang":"en","value":"HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example SYSTEM \"/etc/passwd\"> ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 & #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."}],"source":{"advisory":"GHSA-gr3c-q7xf-47vh","discovery":"UNKNOWN"}},"adp":[{"affected":[{"vendor":"hapifhir","product":"hl7_fhir_core","cpes":["cpe:2.3:a:hapifhir:hl7_fhir_core:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0","status":"affected","lessThan":"6.4.0","versionType":"custom"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-11-12T16:07:55.968328Z","id":"CVE-2024-52007","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-11-12T18:47:14.559Z"}}]}}