HAPI FHIR HTTP authentication leak in redirects

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.0, when setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers to subsequent hosts is a problem as this header often contains privacy sensitive information or data that could allow others to impersonate the client's request. This issue has been patched in release 6.9.0. No known workarounds are available.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

信息暴露

HAPI FHIR 信息泄露漏洞

HAPI FHIR是HAPI FHIR开源的一个Java编写的 HL7 FHIR API。 HAPI FHIR 6.9.0之前版本存在信息泄露漏洞，该漏洞源于内部HTTP客户端在设置HTTP请求标头时，会将同一组标头发送到后续主机，可能导致隐私敏感信息泄露或允许他人冒充客户端请求。

N/A

N/A