GHSA-jqh6-9574-5x22

Source

https://github.com/advisories/GHSA-jqh6-9574-5x22

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-jqh6-9574-5x22/GHSA-jqh6-9574-5x22.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jqh6-9574-5x22

Aliases

Published

2023-01-23T22:05:28Z

Modified

2023-11-08T04:11:43.699753Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

MITM based Zip Slip in `ca.uhn.hapi.fhir:org.hl7.fhir.core`

Details

Impact

MITM can enable Zip-Slip.

Vulnerability

Vulnerability 1: `Scanner.java`

There is no validation that the zip file being unpacked has entries that are not maliciously writing outside of the intended destination directory. https://github.com/hapifhir/org.hl7.fhir.core/blob/8c43e21094af971303131efd081503e5a112db4b/org.hl7.fhir.validation/src/main/java/org/hl7/fhir/validation/Scanner.java#L335-L357

This zip archive is downloaded over HTTP instead of HTTPS, leaving it vulnerable to compromise in-flight. https://github.com/hapifhir/org.hl7.fhir.core/blob/8c43e21094af971303131efd081503e5a112db4b/org.hl7.fhir.validation/src/main/java/org/hl7/fhir/validation/Scanner.java#L136

Vulnerability 2: `TerminologyCacheManager.java`

Note: While these links point to only one implementation, both implementations of TerminologyCacheManager.java are vulnerable to this as their code seems to be duplicated. - https://github.com/hapifhir/org.hl7.fhir.core/blob/f58b7acfb5e393cac52cc5bbb170bdb669c2880e/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/terminologies/TerminologyCacheManager.java - https://github.com/hapifhir/org.hl7.fhir.core/blob/f58b7acfb5e393cac52cc5bbb170bdb669c2880e/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/TerminologyCacheManager.java

While there is validation in this bit of logic that attempts to validate that the zip file doesn't contain malicious entries that escape the destination directory, the guard is insufficient.

https://github.com/hapifhir/org.hl7.fhir.core/blob/f58b7acfb5e393cac52cc5bbb170bdb669c2880e/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/terminologies/TerminologyCacheManager.java#L97-L113

This is because the Utilities.path(String... path) method does not normalize the path, although it seems to be attempting to do so. https://github.com/hapifhir/org.hl7.fhir.core/blob/f58b7acfb5e393cac52cc5bbb170bdb669c2880e/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/Utilities.java#L617-L675

The normalization only occurs if the path element starts with a path traversal payload. As an example, calling Utilities.path("/base", "/child/../test") will return the string "/base/child/../test".

This guard logic can, thus, be easily bypassed: https://github.com/hapifhir/org.hl7.fhir.core/blob/f58b7acfb5e393cac52cc5bbb170bdb669c2880e/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/terminologies/TerminologyCacheManager.java#L100-L104

Assuming an attacker can control the return value of ze.getName(), they can supply a value like /anything/../../../../zipsip-protection-bypass.txt.

Similarly, an attacker can control the contents of the Zip file via a MITM attack as this logic is used with resources not downloaded over HTTPS.

https://github.com/hapifhir/org.hl7.fhir.core/blob/f58b7acfb5e393cac52cc5bbb170bdb669c2880e/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/terminologies/TerminologyCacheManager.java#L66-L73

Patches

Unknown

Workarounds

Unknown

References

https://snyk.io/research/zip-slip-vulnerability

Database specific

{
    "nvd_published_at": "2023-01-26T21:18:00Z",
    "github_reviewed_at": "2023-01-23T22:05:28Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

Maven / ca.uhn.hapi.fhir:org.hl7.fhir.core

Package

Name: ca.uhn.hapi.fhir:org.hl7.fhir.core; View open source insights on deps.dev
Purl: pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.6.92

Affected versions

0.*

0.0.1

0.0.2

0.0.14

0.1.14

0.1.18

1.*

1.0.0

1.1.67

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.1.0

4.2.0

5.*

5.0.0

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

5.0.14

5.0.15

5.0.16

5.0.17

5.0.18

5.0.19

5.0.20

5.0.21

5.0.22

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.1.8

5.1.9

5.1.10

5.1.11

5.1.12

5.1.13

5.1.14

5.1.15

5.1.16

5.1.17

5.1.18

5.1.19

5.1.20

5.1.21

5.1.22

5.2.0

5.2.1

5.2.3

5.2.4

5.2.5

5.2.7

5.2.8

5.2.9

5.2.10

5.2.11

5.2.12

5.2.13

5.2.16

5.2.18

5.2.19

5.2.20

5.3.0

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

5.3.10

5.3.11

5.3.12

5.3.14

5.4.0

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.6

5.4.7

5.4.8

5.4.9

5.4.10

5.4.11

5.4.12

5.5.1

5.5.2

5.5.3

5.5.4

5.5.6

5.5.7

5.5.8

5.5.9

5.5.10

5.5.11

5.5.12

5.5.13

5.5.14

5.5.15

5.5.16

5.6.0

5.6.1

5.6.2

5.6.3

5.6.4

5.6.5

5.6.6

5.6.7

5.6.9

5.6.12

5.6.13

5.6.15

5.6.17

5.6.18

5.6.19

5.6.20

5.6.21

5.6.22

5.6.23

5.6.24

5.6.25

5.6.26

5.6.27

5.6.28

5.6.29

5.6.30

5.6.31

5.6.32

5.6.33

5.6.34

5.6.35

5.6.36

5.6.37

5.6.38

5.6.39

5.6.40

5.6.41

5.6.42

5.6.43

5.6.44

5.6.45

5.6.46

5.6.47

5.6.48

5.6.50

5.6.51

5.6.52

5.6.53

5.6.54

5.6.55

5.6.56

5.6.57

5.6.58

5.6.59

5.6.60

5.6.61

5.6.62

5.6.63

5.6.64

5.6.65

5.6.66

5.6.67

5.6.68

5.6.69

5.6.70

5.6.71

5.6.72

5.6.73

5.6.74

5.6.75

5.6.76

5.6.77

5.6.78

5.6.79

5.6.80

5.6.81

5.6.82

5.6.83

5.6.84

5.6.85

5.6.86

5.6.87

5.6.88

5.6.89

5.6.90

5.6.91

Maven / ca.uhn.hapi.fhir:org.hl7.fhir.convertors

Package

Name: ca.uhn.hapi.fhir:org.hl7.fhir.convertors; View open source insights on deps.dev
Purl: pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.convertors

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.6.92

Affected versions

0.*

0.0.1

0.0.2

0.0.14

0.1.18

1.*

1.0.0

1.1.67

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.1.0

4.2.0

5.*

5.0.0

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.17

5.0.18

5.0.19

5.0.20

5.0.21

5.0.22

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.1.8

5.1.9

5.1.10

5.1.11

5.1.12

5.1.13

5.1.14

5.1.15

5.1.16

5.1.17

5.1.18

5.1.19

5.1.20

5.1.21

5.1.22

5.2.0

5.2.1

5.2.3

5.2.4

5.2.5

5.2.7

5.2.8

5.2.9

5.2.10

5.2.11

5.2.12

5.2.13

5.2.16

5.2.18

5.2.19

5.2.20

5.3.0

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

5.3.10

5.3.11

5.3.12

5.3.14

5.4.0

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.6

5.4.7

5.4.8

5.4.9

5.4.10

5.4.11

5.4.12

5.5.1

5.5.2

5.5.3

5.5.4

5.5.6

5.5.7

5.5.8

5.5.9

5.5.10

5.5.11

5.5.12

5.5.13

5.5.14

5.5.15

5.5.16

5.6.0

5.6.1

5.6.2

5.6.3

5.6.4

5.6.5

5.6.6

5.6.7

5.6.9

5.6.12

5.6.13

5.6.15

5.6.17

5.6.18

5.6.19

5.6.20

5.6.21

5.6.22

5.6.23

5.6.24

5.6.25

5.6.26

5.6.27

5.6.28

5.6.29

5.6.30

5.6.31

5.6.32

5.6.33

5.6.34

5.6.35

5.6.36

5.6.37

5.6.38

5.6.39

5.6.40

5.6.41

5.6.42

5.6.43

5.6.44

5.6.45

5.6.46

5.6.47

5.6.48

5.6.50

5.6.51

5.6.52

5.6.53

5.6.54

5.6.55

5.6.56

5.6.57

5.6.58

5.6.59

5.6.60

5.6.61

5.6.62

5.6.63

5.6.64

5.6.65

5.6.66

5.6.67

5.6.68

5.6.69

5.6.70

5.6.71

5.6.72

5.6.73

5.6.74

5.6.75

5.6.76

5.6.77

5.6.78

5.6.79

5.6.80

5.6.81

5.6.82

5.6.83

5.6.84

5.6.85

5.6.86

5.6.87

5.6.88

5.6.89

5.6.90

5.6.91

Maven / ca.uhn.hapi.fhir:org.hl7.fhir.r4b

Package

Name: ca.uhn.hapi.fhir:org.hl7.fhir.r4b; View open source insights on deps.dev
Purl: pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.r4b

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.6.92

Affected versions

5.*

5.6.22

5.6.23

5.6.24

5.6.25

5.6.26

5.6.27

5.6.28

5.6.29

5.6.30

5.6.31

5.6.32

5.6.33

5.6.34

5.6.35

5.6.36

5.6.37

5.6.38

5.6.39

5.6.40

5.6.41

5.6.42

5.6.43

5.6.44

5.6.45

5.6.46

5.6.47

5.6.48

5.6.50

5.6.51

5.6.52

5.6.53

5.6.54

5.6.55

5.6.56

5.6.57

5.6.58

5.6.59

5.6.60

5.6.61

5.6.62

5.6.63

5.6.64

5.6.65

5.6.66

5.6.67

5.6.68

5.6.69

5.6.70

5.6.71

5.6.72

5.6.73

5.6.74

5.6.75

5.6.76

5.6.77

5.6.78

5.6.79

5.6.80

5.6.81

5.6.82

5.6.83

5.6.84

5.6.85

5.6.86

5.6.87

5.6.88

5.6.89

5.6.90

5.6.91

Maven / ca.uhn.hapi.fhir:org.hl7.fhir.r5

Package

Name: ca.uhn.hapi.fhir:org.hl7.fhir.r5; View open source insights on deps.dev
Purl: pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.r5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.6.92

Affected versions

0.*

0.0.1

0.0.2

0.0.14

0.1.18

1.*

1.0.0

1.1.67

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.1.0

4.2.0

5.*

5.0.0

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.17

5.0.18

5.0.19

5.0.20

5.0.21

5.0.22

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.1.8

5.1.9

5.1.10

5.1.11

5.1.12

5.1.13

5.1.14

5.1.15

5.1.16

5.1.17

5.1.18

5.1.19

5.1.20

5.1.21

5.1.22

5.2.0

5.2.1

5.2.3

5.2.4

5.2.5

5.2.7

5.2.8

5.2.9

5.2.10

5.2.11

5.2.12

5.2.13

5.2.16

5.2.18

5.2.19

5.2.20

5.3.0

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

5.3.10

5.3.11

5.3.12

5.3.14

5.4.0

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.6

5.4.7

5.4.8

5.4.9

5.4.10

5.4.11

5.4.12

5.5.1

5.5.2

5.5.3

5.5.4

5.5.6

5.5.7

5.5.8

5.5.9

5.5.10

5.5.11

5.5.12

5.5.13

5.5.14

5.5.15

5.5.16

5.6.0

5.6.1

5.6.2

5.6.3

5.6.4

5.6.5

5.6.6

5.6.7

5.6.9

5.6.12

5.6.13

5.6.15

5.6.17

5.6.18

5.6.19

5.6.20

5.6.21

5.6.22

5.6.23

5.6.24

5.6.25

5.6.26

5.6.27

5.6.28

5.6.29

5.6.30

5.6.31

5.6.32

5.6.33

5.6.34

5.6.35

5.6.36

5.6.37

5.6.38

5.6.39

5.6.40

5.6.41

5.6.42

5.6.43

5.6.44

5.6.45

5.6.46

5.6.47

5.6.48

5.6.50

5.6.51

5.6.52

5.6.53

5.6.54

5.6.55

5.6.56

5.6.57

5.6.58

5.6.59

5.6.60

5.6.61

5.6.62

5.6.63

5.6.64

5.6.65

5.6.66

5.6.67

5.6.68

5.6.69

5.6.70

5.6.71

5.6.72

5.6.73

5.6.74

5.6.75

5.6.76

5.6.77

5.6.78

5.6.79

5.6.80

5.6.81

5.6.82

5.6.83

5.6.84

5.6.85

5.6.86

5.6.87

5.6.88

5.6.89

5.6.90

5.6.91

Maven / ca.uhn.hapi.fhir:org.hl7.fhir.utilities

Package

Name: ca.uhn.hapi.fhir:org.hl7.fhir.utilities; View open source insights on deps.dev
Purl: pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.utilities

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.6.92

Affected versions

0.*

0.0.1

0.0.2

0.0.14

0.1.18

1.*

1.0.0

1.1.67

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.1.0

4.2.0

5.*

5.0.0

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.17

5.0.18

5.0.19

5.0.20

5.0.21

5.0.22

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.1.8

5.1.9

5.1.10

5.1.11

5.1.12

5.1.13

5.1.14

5.1.15

5.1.16

5.1.17

5.1.18

5.1.19

5.1.20

5.1.21

5.1.22

5.2.0

5.2.1

5.2.3

5.2.4

5.2.5

5.2.7

5.2.8

5.2.9

5.2.10

5.2.11

5.2.12

5.2.13

5.2.16

5.2.18

5.2.19

5.2.20

5.3.0

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

5.3.10

5.3.11

5.3.12

5.3.14

5.4.0

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.6

5.4.7

5.4.8

5.4.9

5.4.10

5.4.11

5.4.12

5.5.1

5.5.2

5.5.3

5.5.4

5.5.6

5.5.7

5.5.8

5.5.9

5.5.10

5.5.11

5.5.12

5.5.13

5.5.14

5.5.15

5.5.16

5.6.0

5.6.1

5.6.2

5.6.3

5.6.4

5.6.5

5.6.6

5.6.7

5.6.9

5.6.12

5.6.13

5.6.15

5.6.17

5.6.18

5.6.19

5.6.20

5.6.21

5.6.22

5.6.23

5.6.24

5.6.25

5.6.26

5.6.27

5.6.28

5.6.29

5.6.30

5.6.31

5.6.32

5.6.33

5.6.34

5.6.35

5.6.36

5.6.37

5.6.38

5.6.39

5.6.40

5.6.41

5.6.42

5.6.43

5.6.44

5.6.45

5.6.46

5.6.47

5.6.48

5.6.50

5.6.51

5.6.52

5.6.53

5.6.54

5.6.55

5.6.56

5.6.57

5.6.58

5.6.59

5.6.60

5.6.61

5.6.62

5.6.63

5.6.64

5.6.65

5.6.66

5.6.67

5.6.68

5.6.69

5.6.70

5.6.71

5.6.72

5.6.73

5.6.74

5.6.75

5.6.76

5.6.77

5.6.78

5.6.79

5.6.80

5.6.81

5.6.82

5.6.83

5.6.84

5.6.85

5.6.86

5.6.87

5.6.88

5.6.89

5.6.90

5.6.91

Maven / ca.uhn.hapi.fhir:org.hl7.fhir.validation

Package

Name: ca.uhn.hapi.fhir:org.hl7.fhir.validation; View open source insights on deps.dev
Purl: pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.validation

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.6.92

Affected versions

0.*

0.0.1

0.0.2

0.0.14

0.1.18

1.*

1.0.0

1.1.67

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.1.0

4.2.0

5.*

5.0.0

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.17

5.0.18

5.0.19

5.0.20

5.0.21

5.0.22

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.1.8

5.1.9

5.1.10

5.1.11

5.1.12

5.1.13

5.1.14

5.1.15

5.1.16

5.1.17

5.1.18

5.1.19

5.1.20

5.1.21

5.1.22

5.2.0

5.2.1

5.2.3

5.2.4

5.2.5

5.2.7

5.2.8

5.2.9

5.2.10

5.2.11

5.2.12

5.2.13

5.2.16

5.2.18

5.2.19

5.2.20

5.3.0

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

5.3.10

5.3.11

5.3.12

5.3.14

5.4.0

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.6

5.4.7

5.4.8

5.4.9

5.4.10

5.4.11

5.4.12

5.5.1

5.5.2

5.5.3

5.5.4

5.5.6

5.5.7

5.5.8

5.5.9

5.5.10

5.5.11

5.5.12

5.5.13

5.5.14

5.5.15

5.5.16

5.6.0

5.6.1

5.6.2

5.6.3

5.6.4

5.6.5

5.6.6

5.6.7

5.6.9

5.6.12

5.6.13

5.6.15

5.6.17

5.6.18

5.6.19

5.6.20

5.6.21

5.6.22

5.6.23

5.6.24

5.6.25

5.6.26

5.6.27

5.6.28

5.6.29

5.6.30

5.6.31

5.6.32

5.6.33

5.6.34

5.6.35

5.6.36

5.6.37

5.6.38

5.6.39

5.6.40

5.6.41

5.6.42

5.6.43

5.6.44

5.6.45

5.6.46

5.6.47

5.6.48

5.6.50

5.6.51

5.6.52

5.6.53

5.6.54

5.6.55

5.6.56

5.6.57

5.6.58

5.6.59

5.6.60

5.6.61

5.6.62

5.6.63

5.6.64

5.6.65

5.6.66

5.6.67

5.6.68

5.6.69

5.6.70

5.6.71

5.6.72

5.6.73

5.6.74

5.6.75

5.6.76

5.6.77

5.6.78

5.6.79

5.6.80

5.6.81

5.6.82

5.6.83

5.6.84

5.6.85

5.6.86

5.6.87

5.6.88

5.6.89

5.6.90

5.6.91

GHSA-jqh6-9574-5x22

Impact

Vulnerability

Vulnerability 1: Scanner.java

Vulnerability 2: TerminologyCacheManager.java

Patches

Workarounds

References

Affected packages

Maven / ca.uhn.hapi.fhir:org.hl7.fhir.core

Package

Affected ranges

Affected versions

0.*

1.*

4.*

5.*

Maven / ca.uhn.hapi.fhir:org.hl7.fhir.convertors

Package

Affected ranges

Affected versions

0.*

1.*

4.*

5.*

Maven / ca.uhn.hapi.fhir:org.hl7.fhir.r4b

Package

Affected ranges

Affected versions

5.*

Maven / ca.uhn.hapi.fhir:org.hl7.fhir.r5

Package

Affected ranges

Affected versions

0.*

1.*

4.*

5.*

Maven / ca.uhn.hapi.fhir:org.hl7.fhir.utilities

Package

Affected ranges

Affected versions

0.*

1.*

4.*

5.*

Maven / ca.uhn.hapi.fhir:org.hl7.fhir.validation

Package

Affected ranges

Affected versions

0.*

1.*

4.*

5.*

Vulnerability 1: `Scanner.java`

Vulnerability 2: `TerminologyCacheManager.java`