{
  "id": "CVE-2024-55887",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2024-12-13T16:15:28.063",
  "lastModified": "2024-12-13T16:15:28.063",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Ucum-java is a FHIR Java library providing UCUM Services. In versions prior to 1.0.9, XML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where ucum is being used to within a host where external clients can submit XML. Release 1.0.9 of Ucum-java fixes this vulnerability. As a workaround, ensure that the source xml for instantiating UcumEssenceService is trusted."
    },
    {
      "lang": "es",
      "value": "Ucum-java es una librer\u00eda Java FHIR que proporciona servicios UCUM. En versiones anteriores a la 1.0.9, el an\u00e1lisis de XML realizado por UcumEssenceService es vulnerable a inyecciones de entidades externas de XML. Un archivo XML procesado con una etiqueta DTD maliciosa podr\u00eda generar XML que contenga datos del sistema host. Esto afecta los casos de uso en los que se utiliza ucum dentro de un host donde los clientes externos pueden enviar XML. La versi\u00f3n 1.0.9 de Ucum-java corrige esta vulnerabilidad. Como workaround, aseg\u00farese de que el XML de origen para crear una instancia de UcumEssenceService sea confiable."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "CHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "availabilityImpact": "NONE"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.0
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-611"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/FHIR/Ucum-java/security/advisories/GHSA-w9j7-phm3-f97j",
      "source": "security-advisories@github.com"
    }
  ]
}