CVE-2024-52007

Name of the Vulnerable Software and Affected Versions HAPI FHIR versions prior to 6.4.0

Description The XSLT parsing performed by various components in HAPI FHIR is vulnerable to XML external entity injections. This issue can be exploited by submitting a malicious XML file with a DTD tag, potentially allowing access to data from the host system. This vulnerability impacts use cases where org.hl7.fhir.core is being used within a host where external clients can submit XML. The estimated number of potentially affected devices is not specified.

Recommendations For versions prior to 6.4.0, upgrade to release version 6.4.0 to address the issue. As a temporary workaround, consider restricting access to the XSLT parsing components to minimize the risk of exploitation. Avoid using the org.hl7.fhir.core component in environments where external clients can submit XML until the issue is resolved. At the moment, there are no known workarounds for this vulnerability other than upgrading to the fixed version.