CVE-2024-45294

Name of the Vulnerable Software and Affected Versions HL7 FHIR Core Artifacts repository versions prior to 6.3.23

Description The issue concerns XML external entity injections in XSLT transforms performed by various components. A processed XML file with a malicious DTD tag could produce XML containing data from the host system, impacting use cases where external clients can submit XML. This affects scenarios where the repository is used within a host that allows external client XML submissions.

Recommendations For versions prior to 6.3.23, update to release 6.3.23 to resolve the issue. As a temporary workaround, consider restricting the submission of XML files from external clients until the update is applied. Avoid using the <!DOCTYPE> tag with external entities in XML files until the issue is resolved. At the moment, there are no other known workarounds available.