XML External Entity Injection in HL7 FHIR IG Publisher Tool
CVE-2024-52807

8.6HIGH

Key Information:

Vendor: Hl7
Status: Fhir-ig-publisher
Vendor: CVE Published:; 24 January 2025

What is CVE-2024-52807?

The HL7 FHIR IG Publisher, a tool for generating compliant FHIR Implementation Guides, is vulnerable to XML External Entity (XXE) injections prior to version 1.7.4. Attackers can exploit this vulnerability by submitting XML with malicious DTD tags, potentially compromising sensitive data from the host system. This situation arises in scenarios where the publisher accepts XML inputs from external clients. The issue has been addressed in the latest version 1.7.4. Users are encouraged to update immediately, as no workarounds exist to mitigate the risk.

Affected Version(s)

fhir-ig-publisher < 1.7.4

References

https://github.com/HL7/fhir-ig-publisher/security/advisor...

x_refsource_CONFIRM

https://github.com/HL7/fhir-ig-publisher/compare/1.7.3......

x_refsource_MISC

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 24, 2025
Vulnerability Reserved
Nov 15, 2024

Hl7

What is CVE-2024-52807?

Affected Version(s)

References

CVSS V3.1

Timeline