CVE-2024-52807

Name of the Vulnerable Software and Affected Versions HL7 FHIR IG Publisher versions prior to 1.7.4

Description The HL7 FHIR IG publisher tool, used to create standard FHIR IGs, has an issue where XSLT transforms performed by its components are susceptible to XML external entity injections. A specially crafted XML file containing a malicious DTD tag ( ]> could potentially expose data from the host system. This is particularly relevant in scenarios where the org.hl7.fhir.publisher is used in an environment where external clients can submit XML files. A prior attempt to address this issue was found to be incomplete through further testing.

Recommendations Versions prior to 1.7.4 should be updated to version 1.7.4 to resolve this issue.