{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/hapi/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["HAPI FHIR Core"],"_cs_severities":["high"],"_cs_tags":["hapi-fhir","credential-leakage","redirect","CVE-2026-34359"],"_cs_type":"advisory","_cs_vendors":["HAPI"],"content_html":"\u003cp\u003eHAPI FHIR Core versions prior to 6.9.4 are vulnerable to an authentication credential leakage issue. The vulnerability resides in the \u003ccode\u003eManagedWebAccessUtils.getServer()\u003c/code\u003e function, which uses \u003ccode\u003eString.startsWith()\u003c/code\u003e to match request URLs against configured server URLs. Due to the lack of a proper host boundary check, an attacker can register a domain that is a prefix of a legitimate FHIR server URL (e.g., \u003ccode\u003ehttp://tx.fhir.org.attacker.com\u003c/code\u003e matching \u003ccode\u003ehttp://tx.fhir.org\u003c/code\u003e). When the application follows a redirect to this attacker-controlled domain, sensitive credentials such as Bearer tokens, Basic authentication credentials, or API keys are inadvertently sent to the attacker. This issue affects deployments that configure server authentication in \u003ccode\u003efhir-settings.json\u003c/code\u003e and make outbound HTTP requests to terminology servers. The vulnerability was introduced due to the removal of a host-equality check for redirects in \u003ccode\u003eSimpleHTTPClient\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe application makes an HTTP request to a configured FHIR server (e.g., \u003ccode\u003ehttp://tx.fhir.org/ValueSet/$expand\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe legitimate server responds with an HTTP 302 redirect to an attacker-controlled domain that shares a prefix with the legitimate server (e.g., \u003ccode\u003ehttp://tx.fhir.org.attacker.com/capture\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe HTTP client (either \u003ccode\u003eSimpleHTTPClient\u003c/code\u003e or \u003ccode\u003eManagedFhirWebAccessor\u003c/code\u003e with OkHttpClient) follows the redirect.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eManagedWebAccessUtils.getServer()\u003c/code\u003e function is called to determine if authentication headers should be added to the request.\u003c/li\u003e\n\u003cli\u003eDue to the \u003ccode\u003estartsWith()\u003c/code\u003e check, the attacker's domain matches the configured server URL.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eServerDetailsPOJOHTTPAuthProvider.getHeaders()\u003c/code\u003e function retrieves configured credentials (Bearer token, Basic auth, or API key).\u003c/li\u003e\n\u003cli\u003eThe HTTP client adds the retrieved authentication headers to the redirected request.\u003c/li\u003e\n\u003cli\u003eThe request, including the sensitive credentials, is sent to the attacker-controlled server. The attacker captures these credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to steal authentication credentials, including Bearer tokens, Basic authentication passwords, API keys, and custom authentication headers configured for FHIR terminology servers. Stolen credentials enable the attacker to impersonate legitimate users, potentially accessing or modifying clinical terminology data on the legitimate FHIR server. This can lead to unauthorized data access, data manipulation, and potential compliance violations. The vulnerability impacts any FHIR Validator deployment that configures server authentication and makes outbound HTTP requests, making it a widespread concern in healthcare IT. It may also allow TLS downgrade.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch to upgrade to HAPI FHIR Core version 6.9.4 or later to remediate CVE-2026-34359.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious FHIR Redirect\u003c/code\u003e to identify potential exploitation attempts based on redirects to unusual domains.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP redirects to domains containing the names of configured FHIR servers as a subdomain using the \u003ccode\u003eDetect FHIR Server Subdomain Redirect\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement proper URL host boundary validation in \u003ccode\u003eManagedWebAccessUtils.getServer()\u003c/code\u003e and \u003ccode\u003eManagedWebAccess.isLocal()\u003c/code\u003e as described in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-hapi-fhir-credential-leak/","summary":"HAPI FHIR Core is vulnerable to authentication credential leakage due to improper URL prefix matching on HTTP redirects, allowing attackers to intercept credentials by hosting a domain that is a prefix of a configured FHIR server URL.","title":"HAPI FHIR Credential Leakage via Improper URL Prefix Matching","url":"https://feed.craftedsignal.io/briefs/2024-01-hapi-fhir-credential-leak/"}],"language":"en","title":"CraftedSignal Threat Feed - HAPI","version":"https://jsonfeed.org/version/1.1"}