Описание
Ucum-java is a FHIR Java library providing UCUM Services. In versions prior to 1.0.9, XML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where ucum is being used to within a host where external clients can submit XML. Release 1.0.9 of Ucum-java fixes this vulnerability. As a workaround, ensure that the source xml for instantiating UcumEssenceService is trusted.
A flaw was found in the ucum-java library for FHIR. XML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where ucum is being used within a host where external clients can submit XML.
Отчет
The FHIR component is not supported in Red Hat Fuse 7 and Red Hat Integration Camel K, so these products are not affected by this vulnerability.
This vulnerability is of important severity because it enables XML External Entity (XXE) injection, a important issue that can lead to unauthorized access to sensitive data and system compromise. By exploiting improperly configured XML parsers, an attacker can craft malicious XML containing external entities or DTD references to read arbitrary files on the server, such as /etc/passwd or configuration files, potentially exposing credentials or system secrets. Additionally, XXE can facilitate Server-Side Request Forgery (SSRF), allowing attackers to interact with internal systems or services, leading to further lateral movement. Given that the affected UcumEssenceService may process externally submitted XML files, the exposure surface is significant, especially in environments where user input cannot be fully trusted.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | org.fhir/ucum | Not affected | ||
| Red Hat Integration Camel K 1 | org.fhir/ucum | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.6 High
CVSS3
Связанные уязвимости
Ucum-java is a FHIR Java library providing UCUM Services. In versions prior to 1.0.9, XML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where ucum is being used to within a host where external clients can submit XML. Release 1.0.9 of Ucum-java fixes this vulnerability. As a workaround, ensure that the source xml for instantiating UcumEssenceService is trusted.
Ucum-java has an XXE vulnerability in XML parsing
Уязвимость библиотеки Ucum языка программирования Java, позволяющая нарушителю проводить XXE-атаки
EPSS
8.6 High
CVSS3