XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML.
This is related to https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf, in which its fix ( https://github.com/hapifhir/org.hl7.fhir.core/issues/1571, https://github.com/hapifhir/org.hl7.fhir.core/pull/1717) was incomplete.
https://cwe.mitre.org/data/definitions/611.html https://cheatsheetseries.owasp.org/cheatsheets/XMLExternalEntityPreventionCheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j
{ "nvd_published_at": "2024-11-08T23:15:04Z", "cwe_ids": [ "CWE-611" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-11-08T18:49:15Z" }