8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-52007

GHSA ID

GHSA-gr3c-q7xf-47vh

EPSS Score

0.3995%

CWE

CWE-611

Published

11/8/2024

Updated

11/12/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-52007

CVE-2024-52007:
XXE vulnerability in XSLT parsing in `org.hl7.fhir.core`

Summary

XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML.

Details

This is related to https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf, in which its fix ( https://github.com/hapifhir/org.hl7.fhir.core/issues/1571, https://github.com/hapifhir/org.hl7.fhir.core/pull/1717) was incomplete.

References

https://cwe.mitre.org/data/definitions/611.html https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j

(GitHub Advisory)

8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-52007

GHSA ID

GHSA-gr3c-q7xf-47vh

EPSS Score

0.3995%

CWE

CWE-611

Published

11/8/2024

Updated

11/12/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ca.uhn.hapi.fhir:org.hl7.fhir.dstu3	maven	< 6.4.0	6.4.0
ca.uhn.hapi.fhir:org.hl7.fhir.r4	maven	< 6.4.0	6.4.0
ca.uhn.hapi.fhir:org.hl7.fhir.r4b	maven	< 6.4.0	6.4.0
ca.uhn.hapi.fhir:org.hl7.fhir.r5	maven	< 6.4.0	6.4.0
ca.uhn.hapi.fhir:org.hl7.fhir.utilities	maven	< 6.4.0	6.4.0
ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may	maven	< 6.4.0	6.4.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis involved examining the patches provided for the XXE vulnerability fix in org.hl7.fhir.core. The patches showed changes in various XmlParser classes and utility classes related to XSLT processing, where insecure TransformerFactory instantiations were replaced with a secure method XMLUtil.newXXEProtectedTransformerFactory(). The functions that were modified are considered vulnerable or related to the vulnerability mitigation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry XSLT p*rsin* p*r*orm** *y v*rious *ompon*nts *r* vuln*r**l* to XML *xt*rn*l *ntity inj**tions. * pro**ss** XML *il* wit* * m*li*ious *T* t** ( <!*O*TYP* *oo [<!*NTITY *x*mpl* SYST*M "/*t*/p*ssw*"> ]> *oul* pro*u** XML *ont*inin* **t* *rom

Reasoning

T** *n*lysis involv** *x*minin* t** p*t***s provi*** *or t** XX* vuln*r**ility *ix in `or*.*l*.**ir.*or*`. T** p*t***s s*ow** ***n**s in v*rious `XmlP*rs*r` *l*ss*s *n* utility *l*ss*s r*l*t** to XSLT pro**ssin*, w**r* ins**ur* `Tr*ns*orm*r***tory` i

8.6

Basic Information

Concerned about an active attack path?

CVE-2024-52007: XXE vulnerability in XSLT parsing in `org.hl7.fhir.core`

Summary

Details

References

8.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-52007:
XXE vulnerability in XSLT parsing in `org.hl7.fhir.core`

Vulnerability Intelligence
Miggo AI