GHSA-xr8x-pxm6-prjg

Source

https://github.com/advisories/GHSA-xr8x-pxm6-prjg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-xr8x-pxm6-prjg/GHSA-xr8x-pxm6-prjg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xr8x-pxm6-prjg

Related

CVE-2023-24057

Published

2023-01-23T22:04:47Z

Modified

2024-12-03T06:06:04.365287Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

MITM based Zip Slip in `org.hl7.fhir.publisher:org.hl7.fhir.publisher`

Details

Impact

MITM can enable Zip-Slip.

Vulnerability

Vulnerability 1: `Publisher.java`

There is no validation that the zip file being unpacked has entries that are not maliciously writing outside of the intended destination directory.

https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/Publisher.java#L3598-L3610

Vulnerability 2: `WebSourceProvider.java`

There is a check for malicious zip entries here, but it is not covered by test cases and could potentially be reverted in future changes.

https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/web/WebSourceProvider.java#L104-L112

Vulnerability 3: `ZipFetcher.java`

This retains the path for Zip files in FetchedFile entries, which could later be used to output malicious entries to another compressed file or file system.

https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/ZipFetcher.java#L57-L106

Vulnerability 4: `IGPack2NpmConvertor.java`

The loadZip method retains the path for entries in the zip file, which could later be used to output malicious entries to another compressed file or file system.

https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/IGPack2NpmConvertor.java#L442-L463

Database specific

{
    "nvd_published_at": null,
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-23T22:04:47Z",
    "severity": "CRITICAL",
    "cwe_ids": []
}

References

Affected packages

Maven / org.hl7.fhir.publisher:org.hl7.fhir.publisher

Package

Name: org.hl7.fhir.publisher:org.hl7.fhir.publisher; View open source insights on deps.dev
Purl: pkg:maven/org.hl7.fhir.publisher/org.hl7.fhir.publisher

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.30

Affected versions

1.*

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.1.9

1.1.10

1.1.11

1.1.12

1.1.13

1.1.14

1.1.15

1.1.16

1.1.17

1.1.18

1.1.19

1.1.20

1.1.21

1.1.22

1.1.23

1.1.24

1.1.25

1.1.26

1.1.27

1.1.28

1.1.29

1.1.30

1.1.31

1.1.32

1.1.33

1.1.34

1.1.35

1.1.36

1.1.37

1.1.38

1.1.39

1.1.40

1.1.41

1.1.42

1.1.43

1.1.44

1.1.45

1.1.46

1.1.47

1.1.48

1.1.50

1.1.51

1.1.124

1.1.125

1.1.126

1.1.127

1.1.128

1.1.129

1.1.130

1.1.131

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.2.10

1.2.11

1.2.12

1.2.13

1.2.14

1.2.15

1.2.16

1.2.17

1.2.18

1.2.19

1.2.20

1.2.21

1.2.22

1.2.23

1.2.24

1.2.25

1.2.26

1.2.27

1.2.28

1.2.29