CVE-2024-45294: 
Java vulnerability analysis and mitigation

The vulnerability (CVE-2024-45294) affects the HL7 FHIR Core Artifacts repository, which provides Java core object handling code and utilities for the Fast Healthcare Interoperability Resources (FHIR) specification. Prior to version 6.3.23, XSLT transforms performed by various components were vulnerable to XML external entity (XXE) injections. This vulnerability was discovered and disclosed in September 2024 (NVD, GitHub Advisory).

The vulnerability allows XML external entity injections through XSLT transforms. Specifically, a processed XML file containing a malicious DTD tag could produce XML containing data from the host system. The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed (GitHub Advisory).

The vulnerability primarily affects confidentiality, as it could allow attackers to access data from the host system where org.hl7.fhir.core is being used in environments where external clients can submit XML. This is particularly concerning in healthcare environments where sensitive patient data might be exposed (GitHub Advisory).

The vulnerability has been patched in release 6.3.23 of org.hl7.fhir.core. No alternative workarounds are available, making it crucial for affected systems to upgrade to the patched version (GitHub Advisory, NVD).