CVE-2024-52007: 
Java vulnerability analysis and mitigation

HAPI FHIR, a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java, was found to be vulnerable to XML external entity (XXE) injections in its XSLT parsing components. The vulnerability (CVE-2024-52007) was discovered in versions prior to 6.4.0, where a malicious XML file with a DTD tag could be processed to extract data from the host system. This vulnerability affects scenarios where org.hl7.fhir.core is used in environments where external clients can submit XML (GitHub Advisory).

The vulnerability is related to improper restriction of XML External Entity references (CWE-611) in the XSLT parsing functionality. This issue was a follow-up to a previous vulnerability (GHSA-6cr6-ph3p-f5rf) where the initial fix implemented in pull requests #1571 and #1717 was found to be incomplete. The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, indicating it can be exploited remotely without requiring privileges or user interaction (GitHub Advisory).

The vulnerability allows attackers to potentially extract sensitive data from the host system through XML external entity injection attacks. This affects systems where org.hl7.fhir.core is deployed in an environment that accepts XML input from external clients (GitHub Advisory).

The vulnerability has been addressed in release version 6.4.0. All users are advised to upgrade to this version as there are no known workarounds for this vulnerability (GitHub Advisory).