Dotasek

**Name of the Vulnerable Software and Affected Versions** HL7 FHIR IG Publisher versions prior to 1.7.4 **Description** The HL7 FHIR IG publisher tool, used to create standard FHIR IGs, has an issue where XSLT transforms performed by its components are susceptible to XML external entity injections. A specially crafted XML file containing a malicious DTD tag `( ]>` could potentially expose data from the host system. This is particularly relevant in scenarios where the `org.hl7.fhir.publisher` is used in an environment where external clients can submit XML files. A prior attempt to address this issue was found to be incomplete through further testing. **Recommendations** Versions prior to 1.7.4 should be updated to version 1.7.4 to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** Ucum-java versions prior to 1.0.9 **Description** The issue is related to XML external entity injections in the UcumEssenceService. This occurs when XML parsing is performed, allowing a malicious DTD tag in a processed XML file to produce XML containing data from the host system. This impacts scenarios where Ucum-java is used within a host and external clients can submit XML. **Recommendations** For versions prior to 1.0.9, update to release 1.0.9 to fix the vulnerability. As a temporary workaround, ensure that the source XML for instantiating UcumEssenceService is trusted.

**Name of the Vulnerable Software and Affected Versions** HAPI FHIR versions prior to 6.4.0 **Description** The XSLT parsing performed by various components in HAPI FHIR is vulnerable to XML external entity injections. This issue can be exploited by submitting a malicious XML file with a DTD tag, potentially allowing access to data from the host system. This vulnerability impacts use cases where org.hl7.fhir.core is being used within a host where external clients can submit XML. The estimated number of potentially affected devices is not specified. **Recommendations** For versions prior to 6.4.0, upgrade to release version 6.4.0 to address the issue. As a temporary workaround, consider restricting access to the XSLT parsing components to minimize the risk of exploitation. Avoid using the `org.hl7.fhir.core` component in environments where external clients can submit XML until the issue is resolved. At the moment, there are no known workarounds for this vulnerability other than upgrading to the fixed version.