CVE-2024-52807: 
Java vulnerability analysis and mitigation

The HL7 FHIR IG publisher, a tool for creating standard FHIR Implementation Guides (IGs), was found to contain a vulnerability in versions prior to 1.7.4. The vulnerability involves XSLT transforms performed by various components being susceptible to XML external entity (XXE) injections. The issue was discovered and disclosed on January 24, 2025, affecting the org.hl7.fhir.publisher package (GitHub Advisory, NVD).

The vulnerability allows a processed XML file containing a malicious DTD tag ( ]> to produce XML that could extract data from the host system. This XXE vulnerability is tracked as CVE-2024-52807 and has been assigned a CVSS v3.1 base score of 8.6 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. The issue is classified as CWE-611: Improper Restriction of XML External Entity Reference (GitHub Advisory, NVD).

The vulnerability primarily affects environments where org.hl7.fhir.publisher is being used within a host system where external clients can submit XML. When successfully exploited, the vulnerability could allow attackers to access data from the host system through XML external entity injection attacks (GitHub Advisory).

The vulnerability has been patched in version 1.7.4 of the HL7 FHIR IG publisher. No known workarounds are available for users who cannot immediately update to the patched version (GitHub Advisory).