CVE-2024-52807

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-52807

8.6 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

T

he HL7 FHIR IG publisher is a tool to take a set of inputs and create a standard FHIR IG. Prior to version 1.7.4, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag `( ]>` could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.publisher is being used to within a host where external clients can submit XML. A previous release provided an incomplete solution revealed by new testing. This issue has been patched as of version 1.7.4. No known workarounds are available.

References
Link Resource
https://github.com/HL7/fhir-ig-publisher/commit/3560de2f486d688a3ddcf4aa54d8bdacea380c3d
https://github.com/HL7/fhir-ig-publisher/compare/1.7.3...1.7.4
https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-8c3x-hq82-gjcm
Configurations

No configuration.

History

29 Jan 2026, 00:16

Type Values Removed Values Added
References
  • () https://github.com/HL7/fhir-ig-publisher/commit/3560de2f486d688a3ddcf4aa54d8bdacea380c3d -
Summary
  • (es) El HL7 FHIR IG publisher es una herramienta que toma un conjunto de entradas y crea un FHIR IG estándar. Antes de la versión 1.7.4, las transformaciones XSLT realizadas por varios componentes son vulnerables a las inyecciones de entidades externas XML. Un archivo XML procesado con una etiqueta DTD maliciosa `( ]>` podría producir XML que contenga datos del host sistema. Esto afecta los casos de uso en los que se utiliza org.hl7.fhir.publisher dentro de un host donde los clientes externos pueden enviar XML. Una versión anterior proporcionó una solución incompleta revelada por nuevas pruebas. Este problema se ha solucionado a partir de la versión 1.7.4. No hay workarounds disponibles.

24 Jan 2025, 19:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-01-24 19:15

Updated : 2026-01-29 00:16

NVD link : CVE-2024-52807

Mitre link : CVE-2024-52807

CVE.ORG link : CVE-2024-52807

JSON object : View

Products Affected

No product.

CWE
CWE-611

Improper Restriction of XML External Entity Reference