CVE-2024-51132
📋 TL;DR
An XML External Entity (XXE) vulnerability in HAPI FHIR before version 6.4.0 allows attackers to read sensitive files from the server or execute arbitrary code by sending specially crafted XML requests. This affects all systems using vulnerable versions of HAPI FHIR to process XML data.
💻 Affected Systems
- HAPI FHIR
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data exfiltration, remote code execution, and complete system takeover.
Likely Case
Unauthorized access to sensitive server files (configuration files, credentials, source code) and potential denial of service.
If Mitigated
Limited impact if XML parsing is disabled or external entity processing is blocked.
🎯 Exploit Status
Proof-of-concept exploit code is publicly available, making exploitation straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.0 and later
Vendor Advisory: https://github.com/hapifhir/org.hl7.fhir.core
Restart Required: Yes
Instructions:
1. Update HAPI FHIR to version 6.4.0 or later. 2. Update dependencies in your project configuration. 3. Restart the application server.
🔧 Temporary Workarounds
Disable XXE in XML parser
allConfigure XML parser to disable external entity processing
Set XML parser properties: FEATURE_SECURE_PROCESSING=true, DISALLOW_DOCTYPE_DECL=true
Input validation filter
allImplement input filtering to reject XML containing DOCTYPE declarations
Add request filter that checks for '<!DOCTYPE' or '<!ENTITY' patterns
🧯 If You Can't Patch
- Implement network segmentation to restrict access to HAPI FHIR endpoints
- Deploy WAF with XXE protection rules to block malicious XML payloads
🔍 How to Verify
Check if Vulnerable:
Check if HAPI FHIR version is below 6.4.0 and if XML parsing is enabled.Check Version:
Check pom.xml or build.gradle for org.hl7.fhir.core dependency versionVerify Fix Applied:
Confirm HAPI FHIR version is 6.4.0+ and test with XXE payloads that should be rejected.📡 Detection & Monitoring
Log Indicators:
- XML parsing errors
- Requests with unusual XML structures
- File read attempts via XML entities
Network Indicators:
- HTTP requests containing DOCTYPE declarations
- XML payloads with external entity references
SIEM Query:
http.request_uri CONTAINS "/fhir" AND http.request_body CONTAINS "<!DOCTYPE" OR "<!ENTITY"