{ "affected": [ { "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "9a619c4c6cebb3cb3566f079c8f4324dbd05cb90" } ], "repo": "https://github.com/hl7/fhir-ig-publisher", "type": "GIT" } ] } ], "aliases": [ "GHSA-8c3x-hq82-gjcm" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-611" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52807.json" }, "details": "The HL7 FHIR IG publisher is a tool to take a set of inputs and create a standard FHIR IG. Prior to version 1.7.4, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag `( ]\u003e` could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.publisher is being used to within a host where external clients can submit XML. A previous release provided an incomplete solution revealed by new testing. This issue has been patched as of version 1.7.4. No known workarounds are available.", "id": "CVE-2024-52807", "modified": "2026-04-01T23:10:35.008143067Z", "published": "2025-01-24T18:34:23.255Z", "references": [ { "type": "WEB", "url": "https://github.com/HL7/fhir-ig-publisher/compare/1.7.3...1.7.4" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52807.json" }, { "type": "ADVISORY", "url": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-8c3x-hq82-gjcm" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52807" }, { "type": "FIX", "url": "https://github.com/HL7/fhir-ig-publisher/commit/3560de2f486d688a3ddcf4aa54d8bdacea380c3d" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "type": "CVSS_V3" } ], "summary": "XXE vulnerability in XSLT parsing in `org.hl7.fhir.publisher`" }