{"id":"CVE-2024-52007","summary":"XXE vulnerability in XSLT parsing in `org.hl7.fhir.core`","details":"HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( \u003c!DOCTYPE foo [\u003c!ENTITY example SYSTEM \"/etc/passwd\"\u003e ]\u003e could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 & #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.","aliases":["GHSA-gr3c-q7xf-47vh"],"modified":"2026-04-10T05:14:58.775607Z","published":"2024-11-08T22:28:20.169Z","related":["GHSA-6cr6-ph3p-f5rf","GHSA-gr3c-q7xf-47vh"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-611"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52007.json"},"references":[{"type":"WEB","url":"https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j"},{"type":"WEB","url":"https://cwe.mitre.org/data/definitions/611.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52007.json"},{"type":"ADVISORY","url":"https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf"},{"type":"ADVISORY","url":"https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-gr3c-q7xf-47vh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52007"},{"type":"REPORT","url":"https://github.com/hapifhir/org.hl7.fhir.core/issues/1571"},{"type":"FIX","url":"https://github.com/hapifhir/org.hl7.fhir.core/pull/1717"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hapifhir/org.hl7.fhir.core","events":[{"introduced":"0"},{"fixed":"26c445c8fc841d5e73c4662391b970f4a2bcc805"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"6.4.0"}]}}],"versions":["1.1.67","5.0.10","5.0.11","5.0.12","5.0.13","5.0.14","5.0.16","5.0.17","5.0.18","5.0.19","5.0.20","5.0.21","5.0.22","5.0.7","5.0.8","5.0.9","5.1.1","5.1.2","5.1.3","5.1.4","5.1.6","5.1.7","5.3.1","5.3.10","5.3.11","5.3.12","5.3.14","5.3.2","5.3.3","5.3.4","5.3.5","5.3.6","5.3.7","5.3.9","5.4.1","5.4.10","5.4.12","5.4.2","5.4.3","5.4.4","5.4.5","5.4.6","5.4.7","5.4.8","5.4.9","5.5.1","5.5.10","5.5.11","5.5.12","5.5.13","5.5.14","5.5.15","5.5.3","5.5.4","5.5.6","5.5.7","5.5.8","5.5.9","5.6.0","5.6.1","5.6.100","5.6.101","5.6.102","5.6.103","5.6.104","5.6.105","5.6.106","5.6.107","5.6.108","5.6.109","5.6.110","5.6.111","5.6.112","5.6.114","5.6.115","5.6.116","5.6.15","5.6.17","5.6.18","5.6.19","5.6.20","5.6.21","5.6.22","5.6.23","5.6.24","5.6.25","5.6.26","5.6.27","5.6.28","5.6.29","5.6.3","5.6.4","5.6.42","5.6.43","5.6.44","5.6.45","5.6.46","5.6.47","5.6.48","5.6.50","5.6.52","5.6.53","5.6.54","5.6.56","5.6.6","5.6.61","5.6.62","5.6.63","5.6.64","5.6.65","5.6.66","5.6.67","5.6.68","5.6.69","5.6.7","5.6.70","5.6.71","5.6.72","5.6.74","5.6.75","5.6.76","5.6.77","5.6.78","5.6.79","5.6.80","5.6.84","5.6.85","5.6.86","5.6.87","5.6.88","5.6.89","5.6.9","5.6.90","5.6.91","5.6.92","5.6.96","5.6.97","5.6.98","5.6.99","6.0.0","6.0.1","6.0.10","6.0.11","6.0.12","6.0.13","6.0.14","6.0.15","6.0.16","6.0.17","6.0.18","6.0.19","6.0.2","6.0.20","6.0.21","6.0.23","6.0.3","6.0.4","6.0.5","6.0.6","6.0.7","6.0.8","6.0.9","6.1.1","6.1.10","6.1.13","6.1.14","6.1.15","6.1.16","6.1.2","6.1.3","6.1.4","6.1.6","6.1.7","6.1.8","6.1.9","6.2.0","6.2.1","6.2.10","6.2.11","6.2.12","6.2.13","6.2.2","6.2.3","6.2.4","6.2.5","6.2.6","6.2.7","6.2.8","6.2.9","6.3.11","6.3.14","6.3.15","6.3.18","6.3.19","6.3.20","6.3.21","6.3.22","6.3.23","6.3.26","6.3.27","6.3.29","6.3.30","6.3.31","6.3.32","6.3.4","6.3.5","6.3.6","6.3.7","6.3.8","6.3.9","v5.3.0","v5.4.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52007.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"}]}