CVE-2025-24363 (GCVE-0-2025-24363)
Vulnerability from cvelistv5 – Published: 2025-01-24 18:54 – Updated: 2025-01-24 19:19
VLAI?
Summary
The HL7 FHIR IG publisher is a tool to take a set of inputs and create a standard FHIR IG. Prior to version 1.8.9, in CI contexts, the IG Publisher CLI uses git commands to determine the URL of the originating repo. If the repo was cloned, or otherwise set to use a repo that uses a username and credential based URL, the entire URL will be included in the built Implementation Guide, exposing username and credential. This does not impact users that clone public repos without credentials, such as those using the auto-ig-build continuous integration infrastructure. This problem has been patched in release 1.8.9. Some workarounds are available. Users should ensure the IG repo they are publishing does not have username or credentials included in the `origin` URL. Running the command `git remote origin url` should return a URL that contains no username, password, or token; or users should run the IG Publisher CLI with the `-repo` parameter and specify a URL that contains no username, password, or token.
Severity ?
4.2 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HL7 | fhir-ig-publisher |
Affected:
< 1.8.9
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24363",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-24T19:19:09.087937Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-24T19:19:20.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fhir-ig-publisher",
"vendor": "HL7",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The HL7 FHIR IG publisher is a tool to take a set of inputs and create a standard FHIR IG. Prior to version 1.8.9, in CI contexts, the IG Publisher CLI uses git commands to determine the URL of the originating repo. If the repo was cloned, or otherwise set to use a repo that uses a username and credential based URL, the entire URL will be included in the built Implementation Guide, exposing username and credential. This does not impact users that clone public repos without credentials, such as those using the auto-ig-build continuous integration infrastructure. This problem has been patched in release 1.8.9. Some workarounds are available. Users should ensure the IG repo they are publishing does not have username or credentials included in the `origin` URL. Running the command `git remote origin url` should return a URL that contains no username, password, or token; or users should run the IG Publisher CLI with the `-repo` parameter and specify a URL that contains no username, password, or token."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-24T19:14:51.895Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-6729-95v3-pjc2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-6729-95v3-pjc2"
},
{
"name": "https://github.com/HL7/fhir-ig-publisher/commit/d968694b7dd041640efab5414d7077d5028569f7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HL7/fhir-ig-publisher/commit/d968694b7dd041640efab5414d7077d5028569f7"
},
{
"name": "https://github.com/HL7/fhir-ig-publisher/releases/tag/1.8.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HL7/fhir-ig-publisher/releases/tag/1.8.9"
}
],
"source": {
"advisory": "GHSA-6729-95v3-pjc2",
"discovery": "UNKNOWN"
},
"title": "The HL7 FHIR IG publisher may potentially expose GitHub repo user and credential information"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24363",
"datePublished": "2025-01-24T18:54:44.179Z",
"dateReserved": "2025-01-20T15:18:26.990Z",
"dateUpdated": "2025-01-24T19:19:20.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-24363\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-01-24T19:15:13.633\",\"lastModified\":\"2025-01-24T19:15:13.633\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The HL7 FHIR IG publisher is a tool to take a set of inputs and create a standard FHIR IG. Prior to version 1.8.9, in CI contexts, the IG Publisher CLI uses git commands to determine the URL of the originating repo. If the repo was cloned, or otherwise set to use a repo that uses a username and credential based URL, the entire URL will be included in the built Implementation Guide, exposing username and credential. This does not impact users that clone public repos without credentials, such as those using the auto-ig-build continuous integration infrastructure. This problem has been patched in release 1.8.9. Some workarounds are available. Users should ensure the IG repo they are publishing does not have username or credentials included in the `origin` URL. Running the command `git remote origin url` should return a URL that contains no username, password, or token; or users should run the IG Publisher CLI with the `-repo` parameter and specify a URL that contains no username, password, or token.\"},{\"lang\":\"es\",\"value\":\"El HL7 FHIR IG publisher es una herramienta para tomar un conjunto de entradas y crear un IG de FHIR est\u00e1ndar. Antes de la versi\u00f3n 1.8.9, en contextos de CI, la CLI del editor IG usa comandos git para determinar la URL del repositorio de origen. Si el repositorio se clon\u00f3 o se configur\u00f3 de otra manera para usar un repositorio que usa una URL basada en nombre de usuario y credenciales, la URL completa se incluir\u00e1 en la Gu\u00eda de implementaci\u00f3n creado, exponiendo el nombre de usuario y las credenciales. Esto no afecta a los usuarios que clonan repositorios p\u00fablicos sin credenciales, como aquellos que usan la infraestructura de integraci\u00f3n continua auto-ig-build. Este problema se ha corregido en la versi\u00f3n 1.8.9. Algunos workarounds est\u00e1n disponibles. Los usuarios deben asegurarse de que el repositorio IG que est\u00e1n publicando no tenga nombre de usuario o credenciales incluidos en la URL `origin`. Ejecutar el comando `git remote origin url` deber\u00eda devolver una URL que no contenga nombre de usuario, contrase\u00f1a o token; o los usuarios deben ejecutar la CLI de IG Publisher con el par\u00e1metro `-repo` y especificar una URL que no contenga nombre de usuario, contrase\u00f1a o token.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":4.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.6,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"references\":[{\"url\":\"https://github.com/HL7/fhir-ig-publisher/commit/d968694b7dd041640efab5414d7077d5028569f7\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/HL7/fhir-ig-publisher/releases/tag/1.8.9\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-6729-95v3-pjc2\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-24363\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-24T19:19:09.087937Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-24T19:19:15.480Z\"}}], \"cna\": {\"title\": \"The HL7 FHIR IG publisher may potentially expose GitHub repo user and credential information\", \"source\": {\"advisory\": \"GHSA-6729-95v3-pjc2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.2, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"HL7\", \"product\": \"fhir-ig-publisher\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.8.9\"}]}], \"references\": [{\"url\": \"https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-6729-95v3-pjc2\", \"name\": \"https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-6729-95v3-pjc2\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/HL7/fhir-ig-publisher/commit/d968694b7dd041640efab5414d7077d5028569f7\", \"name\": \"https://github.com/HL7/fhir-ig-publisher/commit/d968694b7dd041640efab5414d7077d5028569f7\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/HL7/fhir-ig-publisher/releases/tag/1.8.9\", \"name\": \"https://github.com/HL7/fhir-ig-publisher/releases/tag/1.8.9\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The HL7 FHIR IG publisher is a tool to take a set of inputs and create a standard FHIR IG. Prior to version 1.8.9, in CI contexts, the IG Publisher CLI uses git commands to determine the URL of the originating repo. If the repo was cloned, or otherwise set to use a repo that uses a username and credential based URL, the entire URL will be included in the built Implementation Guide, exposing username and credential. This does not impact users that clone public repos without credentials, such as those using the auto-ig-build continuous integration infrastructure. This problem has been patched in release 1.8.9. Some workarounds are available. Users should ensure the IG repo they are publishing does not have username or credentials included in the `origin` URL. Running the command `git remote origin url` should return a URL that contains no username, password, or token; or users should run the IG Publisher CLI with the `-repo` parameter and specify a URL that contains no username, password, or token.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-01-24T19:14:51.895Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-24363\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-24T19:19:20.046Z\", \"dateReserved\": \"2025-01-20T15:18:26.990Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-01-24T18:54:44.179Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…