CVE-2024-45294: XXE vulnerability in XSLT transforms in `org.hl7.fhir.core`
XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML.
References
- github.com/HL7/fhir-ig-publisher/releases/tag/1.6.22
- github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-59rq-22fm-x8q5
- github.com/advisories/GHSA-6cr6-ph3p-f5rf
- github.com/hapifhir/org.hl7.fhir.core
- github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.3.23
- github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf
- nvd.nist.gov/vuln/detail/CVE-2024-45294
Code Behaviors & Features
Detect and mitigate CVE-2024-45294 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →