You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 & #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
mend-bolt-for-githubbot
changed the title
CVE-2024-52007 (High) detected in org.hl7.fhir.dstu2016may-5.6.36.jar
CVE-2024-52007 (High) detected in org.hl7.fhir.dstu2016may-5.6.36.jar - autoclosed
Dec 12, 2024
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
CVE-2024-52007 - High Severity Vulnerability
Vulnerable Library - org.hl7.fhir.dstu2016may-5.6.36.jar
Library home page: http://hl7.org
Path to dependency file: /hapi-tinder-plugin/pom.xml
Path to vulnerable library: /hapi-tinder-plugin/pom.xml
Dependency Hierarchy:
Found in HEAD commit: 4d4d8b25d41ea632109b5a3585587d2bf861b5d6
Found in base branch: master
Vulnerability Details
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 & #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-11-08
URL: CVE-2024-52007
CVSS 3 Score Details (8.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-gr3c-q7xf-47vh
Release Date: 2024-11-08
Fix Resolution (ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may): 6.4.0
Direct dependency fix Resolution (ca.uhn.hapi.fhir:hapi-fhir-structures-dstu2.1): 7.6.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: