CVE-2024-51132: 
Java vulnerability analysis and mitigation

An XML External Entity (XXE) vulnerability was discovered in HAPI FHIR before version 6.4.0. The vulnerability was identified in multiple artifacts within the org.hl7.fhir.core repository, affecting various modules including org.hl7.fhir.convertors, org.hl7.fhir.dstu2, org.hl7.fhir.dstu2016may, org.hl7.fhir.dstu3, org.hl7.fhir.r4, org.hl7.fhir.r4b, org.hl7.fhir.r5, org.hl7.fhir.utilities, and org.hl7.fhir.validation (MITRE CVE, NVD).

The vulnerability is classified as an XML External Entity (XXE) injection issue that allows attackers to access sensitive information or execute arbitrary code through crafted requests containing malicious XML entities. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its severe nature. The issue is tracked under CWE-611 (Improper Restriction of XML External Entity Reference) (CISA-ADP).

The vulnerability can be exploited to perform various malicious activities including unauthorized access to sensitive information and arbitrary code execution. The high CVSS score indicates that successful exploitation could lead to complete system compromise, with potential impacts on the confidentiality, integrity, and availability of the affected systems (Red Hat Advisory).

The primary mitigation is to upgrade HAPI FHIR to version 6.4.0 or later, which contains the fix for this vulnerability. The fix has been implemented across all affected modules in the org.hl7.fhir.core repository (HAPI FHIR Core).