GHSA-9654-pr4f-gh6m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9654-pr4f-gh6m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-9654-pr4f-gh6m/GHSA-9654-pr4f-gh6m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9654-pr4f-gh6m
- Aliases
- Related
- Published
- 2023-03-10T22:15:55Z
- Modified
- 2024-02-16T08:16:45.984605Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- HL7 FHIR Partial Path Zip Slip due to bypass of CVE-2023-24057
- Details
-
Impact
Zip Slip protections implemented in CVE-2023-24057 (GHSA-jqh6-9574-5x22) can be bypassed due a partial path traversal vulnerability.
This issue allows a malicious actor to potentially break out of the
TerminologyCacheManagercache directory. The impact is limited to sibling directories.To demonstrate the vulnerability, consider
userControlled.getCanonicalPath().startsWith("/usr/out")will allow an attacker to access a directory with a name like/usr/outnot.Why?
To demonstrate this vulnerability, consider
"/usr/outnot".startsWith("/usr/out"). The check is bypassed although/outnotis not under the/outdirectory. It's important to understand that the terminating slash may be removed when using variousStringrepresentations of theFileobject. For example, on Linux,println(new File("/var"))will print/var, butprintln(new File("/var", "/")will print/var/; however,println(new File("/var", "/").getCanonicalPath())will print/var.The Fix
Comparing paths with the
java.nio.files.Path#startsWithwill adequately protect againts this vulnerability.For example:
file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY)orfile.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY_FILE.getCanonicalFile().toPath())Other Examples
- CVE-2022-31159 - aws/aws-sdk-java
- CVE-2022-23457 - ESAPI/esapi-java-legacy
Vulnerability
https://github.com/hapifhir/org.hl7.fhir.core/blob/b0daf666725fa14476d147522155af1e81922aac/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/TerminologyCacheManager.java#L99-L105
While
getAbsolutePathwill return a normalized path, because the stringpathis not slash terminated, the guard can be bypassed to write the contents of the Zip file to a sibling directory of the cache directory.Patches
All org.hl7.fhir.core libraries should be updated to 5.6.106. - https://github.com/hapifhir/org.hl7.fhir.core/pull/1162
Workarounds
Unknown
References
- https://snyk.io/research/zip-slip-vulnerability
- Database specific
{ "nvd_published_at": "2023-12-12T17:15:07Z", "severity": "HIGH", "github_reviewed_at": "2023-03-10T22:15:55Z", "github_reviewed": true, "cwe_ids": [ "CWE-22" ] }- References
-
- https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-9654-pr4f-gh6m
- https://nvd.nist.gov/vuln/detail/CVE-2023-28465
- https://github.com/hapifhir/org.hl7.fhir.core/pull/1162
- https://github.com/advisories/GHSA-9654-pr4f-gh6m
- https://github.com/hapifhir/org.hl7.fhir.core
- https://github.com/hapifhir/org.hl7.fhir.core/blob/b0daf666725fa14476d147522155af1e81922aac/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/TerminologyCacheManager.java#L99-L105
- https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/5.6.106
- https://www.smilecdr.com/our-blog
- https://www.smilecdr.com/our-blog/statement-on-cve-2023-24057-smile-digital-health
Affected packages
Maven
ca.uhn.hapi.fhir:org.hl7.fhir.core
Package
- Name
- ca.uhn.hapi.fhir:org.hl7.fhir.core
- View open source insights on deps.dev
- Purl
- pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.core
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.6.106
Affected versions
0.*
0.0.1
0.0.2
0.0.14
0.1.14
0.1.18
1.*
1.0.0
1.1.67
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.1.0
4.2.0
5.*
5.0.0
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.14
5.0.15
5.0.16
5.0.17
5.0.18
5.0.19
5.0.20
5.0.21
5.0.22
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.1.12
5.1.13
5.1.14
5.1.15
5.1.16
5.1.17
5.1.18
5.1.19
5.1.20
5.1.21
5.1.22
5.2.0
5.2.1
5.2.3
5.2.4
5.2.5
5.2.7
5.2.8
5.2.9
5.2.10
5.2.11
5.2.12
5.2.13
5.2.16
5.2.18
5.2.19
5.2.20
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.14
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.4.10
5.4.11
5.4.12
5.5.1
5.5.2
5.5.3
5.5.4
5.5.6
5.5.7
5.5.8
5.5.9
5.5.10
5.5.11
5.5.12
5.5.13
5.5.14
5.5.15
5.5.16
5.6.0
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.6.6
5.6.7
5.6.9
5.6.12
5.6.13
5.6.15
5.6.17
5.6.18
5.6.19
5.6.20
5.6.21
5.6.22
5.6.23
5.6.24
5.6.25
5.6.26
5.6.27
5.6.28
5.6.29
5.6.30
5.6.31
5.6.32
5.6.33
5.6.34
5.6.35
5.6.36
5.6.37
5.6.38
5.6.39
5.6.40
5.6.41
5.6.42
5.6.43
5.6.44
5.6.45
5.6.46
5.6.47
5.6.48
5.6.50
5.6.51
5.6.52
5.6.53
5.6.54
5.6.55
5.6.56
5.6.57
5.6.58
5.6.59
5.6.60
5.6.61
5.6.62
5.6.63
5.6.64
5.6.65
5.6.66
5.6.67
5.6.68
5.6.69
5.6.70
5.6.71
5.6.72
5.6.73
5.6.74
5.6.75
5.6.76
5.6.77
5.6.78
5.6.79
5.6.80
5.6.81
5.6.82
5.6.83
5.6.84
5.6.85
5.6.86
5.6.87
5.6.88
5.6.89
5.6.90
5.6.91
5.6.92
5.6.93
5.6.94
5.6.95
5.6.96
5.6.97
5.6.98
5.6.99
5.6.100
5.6.101
5.6.102
5.6.103
5.6.104
5.6.105
ca.uhn.hapi.fhir:org.hl7.fhir.convertors
Package
- Name
- ca.uhn.hapi.fhir:org.hl7.fhir.convertors
- View open source insights on deps.dev
- Purl
- pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.convertors
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.6.106
Affected versions
0.*
0.0.1
0.0.2
0.0.14
0.1.18
1.*
1.0.0
1.1.67
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.1.0
4.2.0
5.*
5.0.0
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16
5.0.17
5.0.18
5.0.19
5.0.20
5.0.21
5.0.22
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.1.12
5.1.13
5.1.14
5.1.15
5.1.16
5.1.17
5.1.18
5.1.19
5.1.20
5.1.21
5.1.22
5.2.0
5.2.1
5.2.3
5.2.4
5.2.5
5.2.7
5.2.8
5.2.9
5.2.10
5.2.11
5.2.12
5.2.13
5.2.16
5.2.18
5.2.19
5.2.20
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.14
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.4.10
5.4.11
5.4.12
5.5.1
5.5.2
5.5.3
5.5.4
5.5.6
5.5.7
5.5.8
5.5.9
5.5.10
5.5.11
5.5.12
5.5.13
5.5.14
5.5.15
5.5.16
5.6.0
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.6.6
5.6.7
5.6.9
5.6.12
5.6.13
5.6.15
5.6.17
5.6.18
5.6.19
5.6.20
5.6.21
5.6.22
5.6.23
5.6.24
5.6.25
5.6.26
5.6.27
5.6.28
5.6.29
5.6.30
5.6.31
5.6.32
5.6.33
5.6.34
5.6.35
5.6.36
5.6.37
5.6.38
5.6.39
5.6.40
5.6.41
5.6.42
5.6.43
5.6.44
5.6.45
5.6.46
5.6.47
5.6.48
5.6.50
5.6.51
5.6.52
5.6.53
5.6.54
5.6.55
5.6.56
5.6.57
5.6.58
5.6.59
5.6.60
5.6.61
5.6.62
5.6.63
5.6.64
5.6.65
5.6.66
5.6.67
5.6.68
5.6.69
5.6.70
5.6.71
5.6.72
5.6.73
5.6.74
5.6.75
5.6.76
5.6.77
5.6.78
5.6.79
5.6.80
5.6.81
5.6.82
5.6.83
5.6.84
5.6.85
5.6.86
5.6.87
5.6.88
5.6.89
5.6.90
5.6.91
5.6.92
5.6.93
5.6.94
5.6.95
5.6.96
5.6.97
5.6.98
5.6.99
5.6.100
5.6.101
5.6.102
5.6.103
5.6.104
5.6.105
ca.uhn.hapi.fhir:org.hl7.fhir.r4b
Package
- Name
- ca.uhn.hapi.fhir:org.hl7.fhir.r4b
- View open source insights on deps.dev
- Purl
- pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.r4b
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.6.106
Affected versions
5.*
5.6.22
5.6.23
5.6.24
5.6.25
5.6.26
5.6.27
5.6.28
5.6.29
5.6.30
5.6.31
5.6.32
5.6.33
5.6.34
5.6.35
5.6.36
5.6.37
5.6.38
5.6.39
5.6.40
5.6.41
5.6.42
5.6.43
5.6.44
5.6.45
5.6.46
5.6.47
5.6.48
5.6.50
5.6.51
5.6.52
5.6.53
5.6.54
5.6.55
5.6.56
5.6.57
5.6.58
5.6.59
5.6.60
5.6.61
5.6.62
5.6.63
5.6.64
5.6.65
5.6.66
5.6.67
5.6.68
5.6.69
5.6.70
5.6.71
5.6.72
5.6.73
5.6.74
5.6.75
5.6.76
5.6.77
5.6.78
5.6.79
5.6.80
5.6.81
5.6.82
5.6.83
5.6.84
5.6.85
5.6.86
5.6.87
5.6.88
5.6.89
5.6.90
5.6.91
5.6.92
5.6.93
5.6.94
5.6.95
5.6.96
5.6.97
5.6.98
5.6.99
5.6.100
5.6.101
5.6.102
5.6.103
5.6.104
5.6.105
ca.uhn.hapi.fhir:org.hl7.fhir.r5
Package
- Name
- ca.uhn.hapi.fhir:org.hl7.fhir.r5
- View open source insights on deps.dev
- Purl
- pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.r5
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.6.106
Affected versions
0.*
0.0.1
0.0.2
0.0.14
0.1.18
1.*
1.0.0
1.1.67
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.1.0
4.2.0
5.*
5.0.0
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16
5.0.17
5.0.18
5.0.19
5.0.20
5.0.21
5.0.22
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.1.12
5.1.13
5.1.14
5.1.15
5.1.16
5.1.17
5.1.18
5.1.19
5.1.20
5.1.21
5.1.22
5.2.0
5.2.1
5.2.3
5.2.4
5.2.5
5.2.7
5.2.8
5.2.9
5.2.10
5.2.11
5.2.12
5.2.13
5.2.16
5.2.18
5.2.19
5.2.20
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.14
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.4.10
5.4.11
5.4.12
5.5.1
5.5.2
5.5.3
5.5.4
5.5.6
5.5.7
5.5.8
5.5.9
5.5.10
5.5.11
5.5.12
5.5.13
5.5.14
5.5.15
5.5.16
5.6.0
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.6.6
5.6.7
5.6.9
5.6.12
5.6.13
5.6.15
5.6.17
5.6.18
5.6.19
5.6.20
5.6.21
5.6.22
5.6.23
5.6.24
5.6.25
5.6.26
5.6.27
5.6.28
5.6.29
5.6.30
5.6.31
5.6.32
5.6.33
5.6.34
5.6.35
5.6.36
5.6.37
5.6.38
5.6.39
5.6.40
5.6.41
5.6.42
5.6.43
5.6.44
5.6.45
5.6.46
5.6.47
5.6.48
5.6.50
5.6.51
5.6.52
5.6.53
5.6.54
5.6.55
5.6.56
5.6.57
5.6.58
5.6.59
5.6.60
5.6.61
5.6.62
5.6.63
5.6.64
5.6.65
5.6.66
5.6.67
5.6.68
5.6.69
5.6.70
5.6.71
5.6.72
5.6.73
5.6.74
5.6.75
5.6.76
5.6.77
5.6.78
5.6.79
5.6.80
5.6.81
5.6.82
5.6.83
5.6.84
5.6.85
5.6.86
5.6.87
5.6.88
5.6.89
5.6.90
5.6.91
5.6.92
5.6.93
5.6.94
5.6.95
5.6.96
5.6.97
5.6.98
5.6.99
5.6.100
5.6.101
5.6.102
5.6.103
5.6.104
5.6.105
ca.uhn.hapi.fhir:org.hl7.fhir.utilities
Package
- Name
- ca.uhn.hapi.fhir:org.hl7.fhir.utilities
- View open source insights on deps.dev
- Purl
- pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.utilities
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.6.106
Affected versions
0.*
0.0.1
0.0.2
0.0.14
0.1.18
1.*
1.0.0
1.1.67
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.1.0
4.2.0
5.*
5.0.0
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16
5.0.17
5.0.18
5.0.19
5.0.20
5.0.21
5.0.22
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.1.12
5.1.13
5.1.14
5.1.15
5.1.16
5.1.17
5.1.18
5.1.19
5.1.20
5.1.21
5.1.22
5.2.0
5.2.1
5.2.3
5.2.4
5.2.5
5.2.7
5.2.8
5.2.9
5.2.10
5.2.11
5.2.12
5.2.13
5.2.16
5.2.18
5.2.19
5.2.20
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.14
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.4.10
5.4.11
5.4.12
5.5.1
5.5.2
5.5.3
5.5.4
5.5.6
5.5.7
5.5.8
5.5.9
5.5.10
5.5.11
5.5.12
5.5.13
5.5.14
5.5.15
5.5.16
5.6.0
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.6.6
5.6.7
5.6.9
5.6.12
5.6.13
5.6.15
5.6.17
5.6.18
5.6.19
5.6.20
5.6.21
5.6.22
5.6.23
5.6.24
5.6.25
5.6.26
5.6.27
5.6.28
5.6.29
5.6.30
5.6.31
5.6.32
5.6.33
5.6.34
5.6.35
5.6.36
5.6.37
5.6.38
5.6.39
5.6.40
5.6.41
5.6.42
5.6.43
5.6.44
5.6.45
5.6.46
5.6.47
5.6.48
5.6.50
5.6.51
5.6.52
5.6.53
5.6.54
5.6.55
5.6.56
5.6.57
5.6.58
5.6.59
5.6.60
5.6.61
5.6.62
5.6.63
5.6.64
5.6.65
5.6.66
5.6.67
5.6.68
5.6.69
5.6.70
5.6.71
5.6.72
5.6.73
5.6.74
5.6.75
5.6.76
5.6.77
5.6.78
5.6.79
5.6.80
5.6.81
5.6.82
5.6.83
5.6.84
5.6.85
5.6.86
5.6.87
5.6.88
5.6.89
5.6.90
5.6.91
5.6.92
5.6.93
5.6.94
5.6.95
5.6.96
5.6.97
5.6.98
5.6.99
5.6.100
5.6.101
5.6.102
5.6.103
5.6.104
5.6.105
ca.uhn.hapi.fhir:org.hl7.fhir.validation
Package
- Name
- ca.uhn.hapi.fhir:org.hl7.fhir.validation
- View open source insights on deps.dev
- Purl
- pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.validation
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.6.106
Affected versions
0.*
0.0.1
0.0.2
0.0.14
0.1.18
1.*
1.0.0
1.1.67
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.1.0
4.2.0
5.*
5.0.0
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16
5.0.17
5.0.18
5.0.19
5.0.20
5.0.21
5.0.22
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.1.12
5.1.13
5.1.14
5.1.15
5.1.16
5.1.17
5.1.18
5.1.19
5.1.20
5.1.21
5.1.22
5.2.0
5.2.1
5.2.3
5.2.4
5.2.5
5.2.7
5.2.8
5.2.9
5.2.10
5.2.11
5.2.12
5.2.13
5.2.16
5.2.18
5.2.19
5.2.20
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.14
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.4.10
5.4.11
5.4.12
5.5.1
5.5.2
5.5.3
5.5.4
5.5.6
5.5.7
5.5.8
5.5.9
5.5.10
5.5.11
5.5.12
5.5.13
5.5.14
5.5.15
5.5.16
5.6.0
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.6.6
5.6.7
5.6.9
5.6.12
5.6.13
5.6.15
5.6.17
5.6.18
5.6.19
5.6.20
5.6.21
5.6.22
5.6.23
5.6.24
5.6.25
5.6.26
5.6.27
5.6.28
5.6.29
5.6.30
5.6.31
5.6.32
5.6.33
5.6.34
5.6.35
5.6.36
5.6.37
5.6.38
5.6.39
5.6.40
5.6.41
5.6.42
5.6.43
5.6.44
5.6.45
5.6.46
5.6.47
5.6.48
5.6.50
5.6.51
5.6.52
5.6.53
5.6.54
5.6.55
5.6.56
5.6.57
5.6.58
5.6.59
5.6.60
5.6.61
5.6.62
5.6.63
5.6.64
5.6.65
5.6.66
5.6.67
5.6.68
5.6.69
5.6.70
5.6.71
5.6.72
5.6.73
5.6.74
5.6.75
5.6.76
5.6.77
5.6.78
5.6.79
5.6.80
5.6.81
5.6.82
5.6.83
5.6.84
5.6.85
5.6.86
5.6.87
5.6.88
5.6.89
5.6.90
5.6.91
5.6.92
5.6.93
5.6.94
5.6.95
5.6.96
5.6.97
5.6.98
5.6.99
5.6.100
5.6.101
5.6.102
5.6.103
5.6.104
5.6.105