Описание
The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (including validator), for the Fast Healthcare Interoperability Resources (FHIR) specification. Prior to version 6.3.23, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This issue has been patched in release 6.3.23. No known workarounds are available.
A flaw was found in HAPI FHIR - HL7 FHIR Core Artifacts. eXtensible Stylesheet Language Transformations (XSLT) transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This issue impacts use cases where org.hl7.fhir.core is being used within a host where external clients can submit XML.
Отчет
This vulnerability is of significant severity because it allows for XML External Entity (XXE) injection, which can lead to unauthorized access and leakage of sensitive data from the host system. In environments where external clients are permitted to submit XML files, an attacker could craft a malicious XML containing a DTD (Document Type Definition) that references external entities. When processed, this could result in the unauthorized disclosure of files, environmental variables, or other confidential data from the server, potentially compromising the integrity and confidentiality of the system.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Apache Camel for Spring Boot 3 | ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may | Affected | ||
| Red Hat build of Apache Camel for Spring Boot 3 | ca.uhn.hapi.fhir/org.hl7.fhir.dstu3 | Affected | ||
| Red Hat build of Apache Camel for Spring Boot 3 | ca.uhn.hapi.fhir/org.hl7.fhir.r4 | Affected | ||
| Red Hat build of Apache Camel for Spring Boot 3 | ca.uhn.hapi.fhir/org.hl7.fhir.r5 | Affected | ||
| Red Hat build of Apache Camel for Spring Boot 3 | ca.uhn.hapi.fhir/org.hl7.fhir.utilities | Affected | ||
| Red Hat build of Quarkus | ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may | Not affected | ||
| Red Hat build of Quarkus | ca.uhn.hapi.fhir/org.hl7.fhir.dstu3 | Not affected | ||
| Red Hat build of Quarkus | ca.uhn.hapi.fhir/org.hl7.fhir.r4 | Not affected | ||
| Red Hat build of Quarkus | ca.uhn.hapi.fhir/org.hl7.fhir.r5 | Not affected | ||
| Red Hat build of Quarkus | ca.uhn.hapi.fhir/org.hl7.fhir.utilities | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.6 High
CVSS3
Связанные уязвимости
The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (including validator), for the Fast Healthcare Interoperability Resources (FHIR) specification. Prior to version 6.3.23, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This issue has been patched in release 6.3.23. No known workarounds are available.
XXE vulnerability in XSLT transforms in `org.hl7.fhir.core`
EPSS
8.6 High
CVSS3