NVD Vulnerability Detail

CVE-2024-46984

Summary	The reference validator is a tool to perform advanced validation of FHIR resources for TI applications and interoperability standards. The profile location routine in the referencevalidator commons package is vulnerable to `XML External Entities` attack due to insecure defaults of the used Woodstox WstxInputFactory. A malicious XML resource can lead to network requests issued by referencevalidator and thus to a `Server Side Request Forgery` attack. The vulnerability impacts applications which use referencevalidator to process XML resources from untrusted sources. The problem has been patched with the 2.5.1 version of the referencevalidator. Users are strongly recommended to update to this version or a more recent one. A pre-processing or manual analysis of input XML resources on existence of DTD definitions or external entities can mitigate the problem.
Publication Date	Sept. 20, 2024, 8:15 a.m.
Registration Date	Sept. 20, 2024, noon
Last Update	Sept. 26, 2024, 2:49 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:gematik:reference_validator::::::::					2.5.1

Related information, measures and tools

No	URL	タグ
1	https://github.com/gematik/app-referencevalidator/security/advisories/GHSA-68j8-fp38-p48q	Vendor Advisory
2	https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory	Technical Description
3	https://github.com/gematik/app-referencevalidator/releases/tag/2.5.1	Release Notes
4	https://owasp.org/www-community/attacks/Server_Side_Request_Forgery	Technical Description
5	https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)	Technical Description
6	https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)#	Technical Description

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-611	XML 外部エンティティ参照の不適切な制限	https://cwe.mitre.org/data/definitions/611.html

JVN Vulnerability Information

gematik の reference validator における XML 外部エンティティの脆弱性

Title	gematik の reference validator における XML 外部エンティティの脆弱性
Summary	gematik の reference validator には、XML 外部エンティティの脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date	Sept. 19, 2024, midnight
Registration Date	Sept. 26, 2024, 1:46 p.m.
Last Update	Sept. 26, 2024, 1:46 p.m.

Affected System

gematik

reference validator 2.5.1 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-46984	https://www.cve.org/CVERecord?id=CVE-2024-46984
National Vulnerability Database (NVD)
2	CVE-2024-46984	https://nvd.nist.gov/vuln/detail/CVE-2024-46984

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-611	https://cwe.mitre.org/data/definitions/611.html

その他

No	Name	URL
関連文書
1	cheatsheetseries.owasp.org (XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory)	https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory
2	github.com (2.5.1)	https://github.com/gematik/app-referencevalidator/releases/tag/2.5.1
3	github.com (GHSA-68j8-fp38-p48q)	https://github.com/gematik/app-referencevalidator/security/advisories/GHSA-68j8-fp38-p48q
4	owasp.org (A4_2017-XML_External_Entities_(XXE)#)	https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)#
5	owasp.org (A4_2017-XML_External_Entities_(XXE))	https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)
6	owasp.org (Server_Side_Request_Forgery)	https://owasp.org/www-community/attacks/Server_Side_Request_Forgery

Change Log

No	Changed Details	Date of change
1	[2024年09月26日] 掲載	Sept. 26, 2024, 1:46 p.m.