The HL7 FHIR IG publisher is a tool to take a set of inputs and create a standard FHIR IG. Prior to version 1.7.4, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag `( ]>` could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.publisher is being used to within a host where external clients can submit XML. A previous release provided an incomplete solution revealed by new testing. This issue has been patched as of version 1.7.4. No known workarounds are available.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.hl7.fhir.publisher:org.hl7.fhir.publisher.cli(Maven) | 0 | 1.7.4 | N/A |
| org.hl7.fhir.publisher:org.hl7.fhir.publisher.core(Maven) | 0 | 1.7.4 | N/A |
CVSS Metrics
