CVE-2024-52807

CVE-2024-52807 is an XML external entity (XXE) injection vulnerability, classified under CWE-611, affecting the HL7 FHIR Implementation Guide (IG) publisher prior to version 1.7.4. This tool processes inputs to generate standard FHIR IGs and performs XSLT transforms on XML files. A malicious DTD tag, such as one containing `]>` , in a processed XML file can lead to the inclusion of sensitive data from the host system in the output XML. The vulnerability was incompletely addressed in a prior release, as revealed by additional testing.

The issue enables exploitation in scenarios where the org.hl7.fhir.publisher component runs on a host that accepts XML submissions from external clients. An unauthenticated attacker with network access (AV:N/AC:L/PR:N/UI:N) can submit crafted XML, achieving high confidentiality impact (C:H) with a changed scope (S:C), as scored at CVSS 8.6. Successful exploitation allows the attacker to extract data from the host system, such as local files, without requiring privileges, user interaction, or impacting integrity or availability.

Mitigation is available via upgrade to version 1.7.4, which patches the XSLT transform components. Relevant details are documented in the GitHub security advisory (GHSA-8c3x-hq82-gjcm), the commit fixing the issue (3560de2f486d688a3ddcf4aa54d8bdacea380c3d), and the release comparison between 1.7.3 and 1.7.4. No workarounds are known.