CVE-2024-46984

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-46984
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-46984.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-46984
Aliases
Published
2024-09-19T23:15:12Z
Modified
2024-10-08T04:23:11.242160Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

The reference validator is a tool to perform advanced validation of FHIR resources for TI applications and interoperability standards. The profile location routine in the referencevalidator commons package is vulnerable to XML External Entities attack due to insecure defaults of the used Woodstox WstxInputFactory. A malicious XML resource can lead to network requests issued by referencevalidator and thus to a Server Side Request Forgery attack. The vulnerability impacts applications which use referencevalidator to process XML resources from untrusted sources. The problem has been patched with the 2.5.1 version of the referencevalidator. Users are strongly recommended to update to this version or a more recent one. A pre-processing or manual analysis of input XML resources on existence of DTD definitions or external entities can mitigate the problem.

References

Affected packages

Git / github.com/gematik/app-referencevalidator

Affected ranges

Type
GIT
Repo
https://github.com/gematik/app-referencevalidator
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

1.*

1.1.0

2.*

2.0.0
2.0.1
2.0.2
2.1.1
2.2.0
2.3.0
2.4.0
2.5.0