CVE-2024-51132-POC

Vulnerability Type

XXE - XML External Entity Injection. The XXE vulnerability found within mulitple artifacts or modules with https://github.com/hapifhir/org.hl7.fhir.core/ repository can be further exploited to do SSRF, leak information and etc.

Affected Products and Versions

org.hl7.fhir.convertors < 6.4.0

org.hl7.fhir.dstu2 < 6.4.0

org.hl7.fhir.dstu2016may < 6.4.0

org.hl7.fhir.dstu3 < 6.4.0

org.hl7.fhir.r4 < 6.4.0

org.hl7.fhir.r4b < 6.4.0

org.hl7.fhir.r5 < 6.4.0

org.hl7.fhir.utilities < 6.4.0

org.hl7.fhir.validation < 6.4.0

Comment

Found one of vulnerable places with my code analysis tool on probably 10/19/2024. However later I found there had been multiple commits by maintainers to fix the vulnerability and showed there were even more of them with the same issue than I thought.

Reference

https://github.com/hapifhir/org.hl7.fhir.core/commit/7ede053a5fca50cc2802884c661a241d51703a67

Name		Name	Last commit message	Last commit date
Latest commit History 12 Commits
FHIRPoC.java		FHIRPoC.java
README.md		README.md
poc.xml		poc.xml

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

CVE-2024-51132-POC

Vulnerability Type

Affected Products and Versions

Comment

Reference

About

Releases

Packages

Languages

JAckLosingHeart/CVE-2024-51132-POC

Folders and files

Latest commit

History

Repository files navigation

CVE-2024-51132-POC

Vulnerability Type

Affected Products and Versions

Comment

Reference

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages