CVE-2024-46984: 
Java vulnerability analysis and mitigation

CVE-2024-46984 affects the reference validator tool, which is used for validating FHIR resources for TI applications and interoperability standards. The vulnerability was discovered in September 2024 and affects versions prior to 2.5.1. The issue exists in the profile location routine within the referencevalidator commons package due to insecure defaults of the Woodstox WstxInputFactory (GitHub Advisory).

The vulnerability is an XML External Entity (XXE) injection vulnerability that occurs due to insecure defaults in the XML parser configuration. This type of vulnerability allows an attacker to include external entity references in XML input that can be processed by the application. The issue has been assigned a CVSS v3.1 base score of 8.6 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N (GitHub Advisory, NVD).

The vulnerability can lead to Server Side Request Forgery (SSRF) attacks where malicious XML resources can trigger network requests issued by the referencevalidator. This could allow attackers to access internal resources, scan internal systems, or extract sensitive data. The vulnerability impacts applications that use referencevalidator to process XML resources from untrusted sources (GitHub Advisory, OWASP SSRF).

The vulnerability has been patched in version 2.5.1 of the referencevalidator. Users are strongly recommended to update to this version or later. As a workaround, if updating is not immediately possible, organizations can implement pre-processing or manual analysis of input XML resources to check for DTD definitions and external entities (GitHub Advisory).