XXE vulnerability in XSLT parsing in `org.hl7.fhir.core`
High severity
GitHub Reviewed
Published
Nov 8, 2024
in
hapifhir/org.hl7.fhir.core
•
Updated Nov 12, 2024
Package
Affected versions
< 6.4.0
Patched versions
6.4.0
Description
Published to the GitHub Advisory Database
Nov 8, 2024
Reviewed
Nov 8, 2024
Published by the National Vulnerability Database
Nov 8, 2024
Last updated
Nov 12, 2024
Summary
XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML.
Details
This is related to GHSA-6cr6-ph3p-f5rf, in which its fix ( hapifhir/org.hl7.fhir.core#1571, hapifhir/org.hl7.fhir.core#1717) was incomplete.
References
https://cwe.mitre.org/data/definitions/611.html
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j
References