Описание
An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities.
A flaw was found in Fast Healthcare Interoperability Resources (HAPI FHIR). This vulnerability could allow attackers to execute arbitrary code or access sensitive information via a crafted request which contains malicious XML entities.
Отчет
Red Hat Build of Apache Camel K provides support for a select group of extensions for Camel Quarkus. As FHIR is not on this list, it is marked as out of support scope. Consult the external references section for the list of supported Camel Quarkus extension. While Red Hat Fuse 7 includes a vulnerable version of FHIR, the product does not utilize the affected function. This reduces impact of the vulnerability to Low.
Меры по смягчению последствий
Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Apache Camel for Spring Boot 3 | ca.uhn.hapi.fhir/org.hl7.fhir.dstu2 | Out of support scope | ||
| Red Hat build of Apache Camel for Spring Boot 3 | ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may | Out of support scope | ||
| Red Hat build of Apache Camel for Spring Boot 3 | ca.uhn.hapi.fhir/org.hl7.fhir.dstu3 | Out of support scope | ||
| Red Hat build of Apache Camel for Spring Boot 3 | ca.uhn.hapi.fhir/org.hl7.fhir.r4 | Out of support scope | ||
| Red Hat build of Apache Camel for Spring Boot 3 | ca.uhn.hapi.fhir/org.hl7.fhir.r5 | Out of support scope | ||
| Red Hat build of Apache Camel for Spring Boot 3 | ca.uhn.hapi.fhir/org.hl7.fhir.utilities | Out of support scope | ||
| Red Hat Fuse 7 | ca.uhn.hapi.fhir/org.hl7.fhir.convertors | Fix deferred | ||
| Red Hat Fuse 7 | ca.uhn.hapi.fhir-org.hl7.fhir.core | Fix deferred | ||
| Red Hat Fuse 7 | ca.uhn.hapi.fhir/org.hl7.fhir.dstu2 | Fix deferred | ||
| Red Hat Fuse 7 | ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
9.1 Critical
CVSS3
Связанные уязвимости
An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities.
HAPI FHIR XML External Entity (XXE) vulnerability
EPSS
9.1 Critical
CVSS3