{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-51132", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-11-06T19:23:22.420Z", "dateReserved": "2024-10-28T00:00:00", "datePublished": "2024-11-05T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-11-05T16:51:20.605596"}, "descriptions": [{"lang": "en", "value": "An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/hapifhir/org.hl7.fhir.core"}, {"url": "https://github.com/JAckLosingHeart/CVE-2024-51132-POC"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-611", "lang": "en", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}], "affected": [{"vendor": "fhir", "product": "hapi_fhir", "cpes": ["cpe:2.3:a:fhir:hapi_fhir:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "6.4.0", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-11-06T19:21:58.220420Z", "id": "CVE-2024-51132", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-06T19:23:22.420Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-51132", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-11-06T19:23:22.420Z", "dateReserved": "2024-10-28T00:00:00", "datePublished": "2024-11-05T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-11-05T16:51:20.605596"}, "descriptions": [{"lang": "en", "value": "An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/hapifhir/org.hl7.fhir.core"}, {"url": "https://github.com/JAckLosingHeart/CVE-2024-51132-POC"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-51132", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-06T19:21:58.220420Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:fhir:hapi_fhir:*:*:*:*:*:*:*:*"], "vendor": "fhir", "product": "hapi_fhir", "versions": [{"status": "affected", "version": "0", "lessThan": "6.4.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-06T19:23:15.126Z"}}]}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities."}, {"lang": "es", "value": "Una vulnerabilidad de entidad externa XML (XXE) en HAPI FHIR anterior a v6.4.0 permite a los atacantes acceder a informaci\u00f3n confidencial o ejecutar c\u00f3digo arbitrario mediante el suministro de una solicitud manipulada que contiene entidades XML maliciosas."}], "id": "CVE-2024-51132", "lastModified": "2024-11-06T20:35:34.173", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-11-05T17:15:07.310", "references": [{"source": "cve@mitre.org", "url": "https://github.com/JAckLosingHeart/CVE-2024-51132-POC"}, {"source": "cve@mitre.org", "url": "https://github.com/hapifhir/org.hl7.fhir.core"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:9806", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.4.4", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu2", "product_name": "Red Hat build of Apache Camel 4.4.4 for Spring Boot", "release_date": "2024-11-15T00:00:00Z"}, {"advisory": "RHSA-2024:9806", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.4.4", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may", "product_name": "Red Hat build of Apache Camel 4.4.4 for Spring Boot", "release_date": "2024-11-15T00:00:00Z"}, {"advisory": "RHSA-2024:9806", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.4.4", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu3", "product_name": "Red Hat build of Apache Camel 4.4.4 for Spring Boot", "release_date": "2024-11-15T00:00:00Z"}, {"advisory": "RHSA-2024:9806", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.4.4", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.r4", "product_name": "Red Hat build of Apache Camel 4.4.4 for Spring Boot", "release_date": "2024-11-15T00:00:00Z"}, {"advisory": "RHSA-2024:9806", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.4.4", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.r5", "product_name": "Red Hat build of Apache Camel 4.4.4 for Spring Boot", "release_date": "2024-11-15T00:00:00Z"}, {"advisory": "RHSA-2024:9806", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.4.4", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.utilities", "product_name": "Red Hat build of Apache Camel 4.4.4 for Spring Boot", "release_date": "2024-11-15T00:00:00Z"}, {"advisory": "RHSA-2024:10035", "cpe": "cpe:/a:redhat:camel_quarkus:3.8", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu2", "product_name": "Red Hat Build of Apache Camel 4.4 for Quarkus 3.8", "release_date": "2024-11-19T00:00:00Z"}, {"advisory": "RHSA-2024:10035", "cpe": "cpe:/a:redhat:camel_quarkus:3.8", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may", "product_name": "Red Hat Build of Apache Camel 4.4 for Quarkus 3.8", "release_date": "2024-11-19T00:00:00Z"}, {"advisory": "RHSA-2024:10035", "cpe": "cpe:/a:redhat:camel_quarkus:3.8", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu3", "product_name": "Red Hat Build of Apache Camel 4.4 for Quarkus 3.8", "release_date": "2024-11-19T00:00:00Z"}, {"advisory": "RHSA-2024:10035", "cpe": "cpe:/a:redhat:camel_quarkus:3.8", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.r4", "product_name": "Red Hat Build of Apache Camel 4.4 for Quarkus 3.8", "release_date": "2024-11-19T00:00:00Z"}, {"advisory": "RHSA-2024:10035", "cpe": "cpe:/a:redhat:camel_quarkus:3.8", "package": "ca.uhn.hapi.fhir/org.hl7.fhir.r5", "product_name": "Red Hat Build of Apache Camel 4.4 for Quarkus 3.8", "release_date": "2024-11-19T00:00:00Z"}, {"advisory": "RHSA-2024:10035", "cpe": "cpe:/a:redhat:camel_quarkus:3.8", "package": "ca.uhn.hapi.fhir-org.hl7.fhir.utilities", "product_name": "Red Hat Build of Apache Camel 4.4 for Quarkus 3.8", "release_date": "2024-11-19T00:00:00Z"}], "bugzilla": {"description": "org.hl7.fhir.convertors: org.hl7.fhir.dstu2: org.hl7.fhir.dstu2016may: org.hl7.fhir.dstu3: org.hl7.fhir.r4: org.hl7.fhir.r5: org.hl7.fhir.utilities: org.hl7.fhir.validation: org.hl7.fhir.core: FHIR arbitrary code execution via specially-crafted request", "id": "2323897", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2323897"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-611->CWE-601", "details": ["An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities.", "A flaw was found in Fast Healthcare Interoperability Resources (HAPI FHIR). This vulnerability could allow attackers to execute arbitrary code or access sensitive information via a crafted request which contains malicious XML entities."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}, "name": "CVE-2024-51132", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Out of support scope", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu2", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Out of support scope", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Out of support scope", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu3", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Out of support scope", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.r4", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Out of support scope", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.r5", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Out of support scope", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.utilities", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "impact": "low", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.convertors", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "impact": "low", "package_name": "ca.uhn.hapi.fhir-org.hl7.fhir.core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "impact": "low", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu2", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "impact": "low", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "impact": "low", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu3", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "impact": "low", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.r4", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "impact": "low", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.r5", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "impact": "low", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.utilities", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "impact": "low", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.validation", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "impact": "low", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.validation.cli", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Out of support scope", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.dstu3", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Out of support scope", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.r4", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Out of support scope", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.r5", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Out of support scope", "package_name": "ca.uhn.hapi.fhir/org.hl7.fhir.utilities", "product_name": "Red Hat Integration Camel K 1"}], "public_date": "2024-11-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-51132\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-51132\nhttps://docs.redhat.com/en/documentation/red_hat_build_of_apache_camel_k/1.10.8/html/release_notes_for_red_hat_build_of_apache_camel_k/camel-k-relnotes_camelk#supported_camel_quarkus_connector_extensions\nhttps://github.com/JAckLosingHeart/CVE-2024-51132-POC\nhttps://github.com/advisories/GHSA-4cf2-cxp3-rjr7\nhttps://github.com/hapifhir/org.hl7.fhir.core"], "statement": "Red Hat Build of Apache Camel K provides support for a select group of extensions for Camel Quarkus. As FHIR is not on this list, it is marked as out of support scope. Consult the external references section for the list of supported Camel Quarkus extension.\nWhile Red Hat Fuse 7 includes a vulnerable version of FHIR, the product does not utilize the affected function. This reduces impact of the vulnerability to Low.", "threat_severity": "Critical"}