CVE-2024-45294 HIGH

CVE-2024-45294: `org.hl7.fhir.core` XXE vulnerability in XSLT transforms

Vendor Hapifhir
Product org.hl7.fhir.core
Weakness CWE-611 · XXE
Published September 6, 2024
Last update September 6, 2024

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (including validator), for the Fast Healthcare Interoperability Resources (FHIR) specification. Prior to version 6.3.23, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This issue has been patched in release 6.3.23. No known workarounds are available.

Key dates

02Disclosure timeline

September 6, 2024 CVE published
September 6, 2024 Record updated

Related vulnerabilities

04Related CVE