CVE-2024-52807

HIGH

Org.hl7.fhir.publisher.cli < 1.7.4 - XXE

Title source: rule

Description

The HL7 FHIR IG publisher is a tool to take a set of inputs and create a standard FHIR IG. Prior to version 1.7.4, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag `( ]>` could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.publisher is being used to within a host where external clients can submit XML. A previous release provided an incomplete solution revealed by new testing. This issue has been patched as of version 1.7.4. No known workarounds are available.

References (3)

[Vendor Advisory] https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-8c3x-hq82-gjcm

[Patch] https://github.com/HL7/fhir-ig-publisher/commit/3560de2f486d688a3ddcf4aa54d8bdacea380c3d

View Patch ZIP pw:eip

[Various Sources] https://github.com/HL7/fhir-ig-publisher/compare/1.7.3...1.7.4

Scores

CVSS v3 8.6

EPSS 0.0003

EPSS Percentile 9.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (3)

HL7/fhir-ig-publisher < 1.7.4

org.hl7.fhir.publisher/org.hl7.fhir.publisher.cli 0 - 1.7.4Maven

org.hl7.fhir.publisher/org.hl7.fhir.publisher.core 0 - 1.7.4Maven

Published Jan 24, 2025

Tracked Since Feb 18, 2026