CVE-2024-45294

HIGH

HL7 FHIR Core <6.3.23 - XML External Entity Injection

Title source: llm

Description

The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (including validator), for the Fast Healthcare Interoperability Resources (FHIR) specification. Prior to version 6.3.23, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This issue has been patched in release 6.3.23. No known workarounds are available.

References (4)

[Vendor Advisory] https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf

[Vendor Advisory] https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-59rq-22fm-x8q5

[Release Notes] https://github.com/HL7/fhir-ig-publisher/releases/tag/1.6.22

[Release Notes] https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.3.23

Scores

CVSS v3 8.6

EPSS 0.0009

EPSS Percentile 25.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (7)

ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may 0 - 6.3.23Maven

ca.uhn.hapi.fhir/org.hl7.fhir.dstu3 0 - 6.3.23Maven

ca.uhn.hapi.fhir/org.hl7.fhir.r4 0 - 6.3.23Maven

ca.uhn.hapi.fhir/org.hl7.fhir.r4b 0 - 6.3.23Maven

ca.uhn.hapi.fhir/org.hl7.fhir.r5 0 - 6.3.23Maven

ca.uhn.hapi.fhir/org.hl7.fhir.utilities 0 - 6.3.23Maven

hapifhir/org.hl7.fhir.core < 6.3.23

Published Sep 06, 2024

Tracked Since Feb 18, 2026