CVE-2026-33180
CRITICAL9.8EPSS 0.05%HAPI FHIR HTTP authentication leak in redirects
發布日:2026/3/18修改日:2026/3/25
描述
### Impact When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers to subsequent hosts is a problem as this header often contains privacy sensitive information or data that could allow others to impersonate the client's request. ### Patches This issue has been patched in release 6.8.3 ### Workarounds None.
受影響套件(12)
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.convertorsfrom 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.dstu2from 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016mayfrom 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.dstu3from 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.dstu3.supportfrom 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.modelfrom 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.r4from 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.r4bfrom 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.r5from 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.utilitiesfrom 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.validationfrom 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.validation.clifrom 0, < 6.9.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |