{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45294", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-08-26T18:25:35.442Z", "datePublished": "2024-09-06T15:46:13.656Z", "dateUpdated": "2024-09-06T16:56:17.691Z"}, "containers": {"cna": {"title": "`org.hl7.fhir.core` XXE vulnerability in XSLT transforms", "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "lang": "en", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf"}, {"name": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-59rq-22fm-x8q5", "tags": ["x_refsource_MISC"], "url": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-59rq-22fm-x8q5"}, {"name": "https://github.com/HL7/fhir-ig-publisher/releases/tag/1.6.22", "tags": ["x_refsource_MISC"], "url": "https://github.com/HL7/fhir-ig-publisher/releases/tag/1.6.22"}, {"name": "https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.3.23", "tags": ["x_refsource_MISC"], "url": "https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.3.23"}], "affected": [{"vendor": "hapifhir", "product": "org.hl7.fhir.core", "versions": [{"version": "< 6.3.23", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-06T16:56:17.691Z"}, "descriptions": [{"lang": "en", "value": "The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (including validator), for the Fast Healthcare Interoperability Resources (FHIR) specification. Prior to version 6.3.23, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This issue has been patched in release 6.3.23. No known workarounds are available."}], "source": {"advisory": "GHSA-6cr6-ph3p-f5rf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-06T16:15:37.499709Z", "id": "CVE-2024-45294", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-06T16:15:49.132Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45294", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-06T16:15:37.499709Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-06T16:15:43.615Z"}}], "cna": {"title": "`org.hl7.fhir.core` XXE vulnerability in XSLT transforms", "source": {"advisory": "GHSA-6cr6-ph3p-f5rf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "hapifhir", "product": "org.hl7.fhir.core", "versions": [{"status": "affected", "version": "< 6.3.23"}]}], "references": [{"url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf", "name": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-59rq-22fm-x8q5", "name": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-59rq-22fm-x8q5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/HL7/fhir-ig-publisher/releases/tag/1.6.22", "name": "https://github.com/HL7/fhir-ig-publisher/releases/tag/1.6.22", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.3.23", "name": "https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.3.23", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (including validator), for the Fast Healthcare Interoperability Resources (FHIR) specification. Prior to version 6.3.23, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This issue has been patched in release 6.3.23. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-06T16:56:17.691Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45294", "state": "PUBLISHED", "dateUpdated": "2024-09-06T16:56:17.691Z", "dateReserved": "2024-08-26T18:25:35.442Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-09-06T15:46:13.656Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (including validator), for the Fast Healthcare Interoperability Resources (FHIR) specification. Prior to version 6.3.23, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This issue has been patched in release 6.3.23. No known workarounds are available."}], "id": "CVE-2024-45294", "lastModified": "2024-09-06T17:15:16.977", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-09-06T16:15:03.300", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/HL7/fhir-ig-publisher/releases/tag/1.6.22"}, {"source": "security-advisories@github.com", "url": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-59rq-22fm-x8q5"}, {"source": "security-advisories@github.com", "url": "https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.3.23"}, {"source": "security-advisories@github.com", "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:6883", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:3.20.7", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may", "product_name": "Red Hat build of Apache Camel 3.20.7 for Spring Boot", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6883", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:3.20.7", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu3", "product_name": "Red Hat build of Apache Camel 3.20.7 for Spring Boot", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6883", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:3.20.7", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.r4", "product_name": "Red Hat build of Apache Camel 3.20.7 for Spring Boot", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6883", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:3.20.7", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.r5", "product_name": "Red Hat build of Apache Camel 3.20.7 for Spring Boot", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6883", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:3.20.7", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.utilities", "product_name": "Red Hat build of Apache Camel 3.20.7 for Spring Boot", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:8064", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.4.3", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may", "product_name": "Red Hat build of Apache Camel 4.4.3 for Spring Boot", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8064", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.4.3", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu3", "product_name": "Red Hat build of Apache Camel 4.4.3 for Spring Boot", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8064", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.4.3", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.r4", "product_name": "Red Hat build of Apache Camel 4.4.3 for Spring Boot", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8064", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.4.3", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.r5", "product_name": "Red Hat build of Apache Camel 4.4.3 for Spring Boot", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8064", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.4.3", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.utilities", "product_name": "Red Hat build of Apache Camel 4.4.3 for Spring Boot", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:7052", "cpe": "cpe:/a:redhat:camel_quarkus:3.8", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:7052", "cpe": "cpe:/a:redhat:camel_quarkus:3.8", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu3", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:7052", "cpe": "cpe:/a:redhat:camel_quarkus:3.8", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.r4", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:7052", "cpe": "cpe:/a:redhat:camel_quarkus:3.8", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.r5", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:7052", "cpe": "cpe:/a:redhat:camel_quarkus:3.8", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.utilities", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3", "release_date": "2024-09-24T00:00:00Z"}], "bugzilla": {"description": "org.hl7.fhir.core: org.hl7.fhir.dstu3: org.hl7.fhir.r4: org.hl7.fhir.r4b: org.hl7.fhir.r5: org.hl7.fhir.utilities: XXE vulnerability in XSLT transforms in `org.hl7.fhir.core`", "id": "2310447", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310447"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-611", "details": ["The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (including validator), for the Fast Healthcare Interoperability Resources (FHIR) specification. Prior to version 6.3.23, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This issue has been patched in release 6.3.23. No known workarounds are available.", "A flaw was found in HAPI FHIR - HL7 FHIR Core Artifacts. eXtensible Stylesheet Language Transformations (XSLT) transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This issue impacts use cases where org.hl7.fhir.core is being used within a host where external clients can submit XML."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-45294", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Affected", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Affected", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu3", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Affected", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.r4", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Affected", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.r5", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Affected", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.utilities", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Not affected", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Not affected", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu3", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Not affected", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.r4", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Not affected", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.r5", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Not affected", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.utilities", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "ca.uhn.hapi.fhir-org.hl7.fhir.core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu3", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.r4", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.r5", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.utilities", "product_name": "Red Hat Fuse 7"}], "public_date": "2024-09-06T16:15:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-45294\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-45294\nhttps://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.3.23\nhttps://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf"], "statement": "This vulnerability is of significant severity because it allows for XML External Entity (XXE) injection, which can lead to unauthorized access and leakage of sensitive data from the host system. In environments where external clients are permitted to submit XML files, an attacker could craft a malicious XML containing a DTD (Document Type Definition) that references external entities. When processed, this could result in the unauthorized disclosure of files, environmental variables, or other confidential data from the server, potentially compromising the integrity and confidentiality of the system.", "threat_severity": "Important"}