Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

CVE-2024-55887 (High) detected in ucum-1.0.8.jar #6556

Open
mend-bolt-for-github bot opened this issue Dec 15, 2024 · 0 comments
Open

CVE-2024-55887 (High) detected in ucum-1.0.8.jar #6556

mend-bolt-for-github bot opened this issue Dec 15, 2024 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource

Comments

@mend-bolt-for-github
Copy link
Contributor

mend-bolt-for-github bot commented Dec 15, 2024
edited
Loading

CVE-2024-55887 - High Severity Vulnerability

Vulnerable Library - ucum-1.0.8.jar

FHIR Java library providing UCUM Services

Library home page: http://fhir.org

Path to dependency file: /hapi-fhir-jpaserver-uhnfhirtest/pom.xml

Path to vulnerable library: /hapi-fhir-jpaserver-uhnfhirtest/pom.xml,/hapi-fhir-docs/pom.xml,/hapi-fhir-server-cds-hooks/pom.xml,/hapi-fhir-structures-r5/pom.xml,/hapi-fhir-jpaserver-test-utilities/pom.xml,/hapi-fhir-structures-dstu2.1/pom.xml,/hapi-fhir-cli/hapi-fhir-cli-app/pom.xml,/hapi-fhir-spring-boot/hapi-fhir-spring-boot-autoconfigure/pom.xml,/hapi-fhir-jpaserver-subscription/pom.xml,/hapi-fhir-structures-r4b/pom.xml,/hapi-fhir-converter/pom.xml,/hapi-fhir-structures-r4/pom.xml,/hapi-fhir-jpaserver-base/pom.xml,/hapi-fhir-storage/pom.xml,/hapi-fhir-server-mdm/pom.xml,/hapi-fhir-structures-dstu3/pom.xml,/hapi-fhir-storage-test-utilities/pom.xml,/hapi-fhir-storage-mdm/pom.xml,/hapi-fhir-jpaserver-ips/pom.xml,/hapi-fhir-storage-batch2-jobs/pom.xml,/hapi-fhir-storage-batch2/pom.xml,/hapi-fhir-jpaserver-hfql/pom.xml,/hapi-fhir-jpaserver-model/pom.xml,/hapi-fhir-cli/hapi-fhir-cli-api/pom.xml,/hapi-fhir-storage-batch2-test-utilities/pom.xml,/hapi-fhir-validation/pom.xml,/hapi-fhir-storage-cr/pom.xml,/hapi-fhir-jpaserver-elastic-test-utilities/pom.xml,/hapi-fhir-jpaserver-mdm/pom.xml,/hapi-fhir-jpaserver-searchparam/pom.xml,/hapi-tinder-test/pom.xml,/hapi-fhir-structures-hl7org-dstu2/pom.xml

Dependency Hierarchy:

  • ucum-1.0.8.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Ucum-java is a FHIR Java library providing UCUM Services. In versions prior to 1.0.9, XML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where ucum is being used to within a host where external clients can submit XML. Release 1.0.9 of Ucum-java fixes this vulnerability. As a workaround, ensure that the source xml for instantiating UcumEssenceService is trusted.

Publish Date: 2024-12-13

URL: CVE-2024-55887

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w9j7-phm3-f97j

Release Date: 2024-12-13

Fix Resolution: 1.0.9

Step up your Open Source Security Game with Mend here
@mend-bolt-for-github mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Dec 15, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants