GHSA-xr8x-pxm6-prjg

Suggest an improvement
Source
https://github.com/advisories/GHSA-xr8x-pxm6-prjg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-xr8x-pxm6-prjg/GHSA-xr8x-pxm6-prjg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xr8x-pxm6-prjg
Aliases
Published
2023-01-23T22:04:47Z
Modified
2024-12-03T06:06:04.365287Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
MITM based Zip Slip in `org.hl7.fhir.publisher:org.hl7.fhir.publisher`
Details

Impact

MITM can enable Zip-Slip.

Vulnerability

Vulnerability 1: Publisher.java

There is no validation that the zip file being unpacked has entries that are not maliciously writing outside of the intended destination directory.

https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/Publisher.java#L3598-L3610

Vulnerability 2: WebSourceProvider.java

There is a check for malicious zip entries here, but it is not covered by test cases and could potentially be reverted in future changes.

https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/web/WebSourceProvider.java#L104-L112

Vulnerability 3: ZipFetcher.java

This retains the path for Zip files in FetchedFile entries, which could later be used to output malicious entries to another compressed file or file system.

https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/ZipFetcher.java#L57-L106

Vulnerability 4: IGPack2NpmConvertor.java

The loadZip method retains the path for entries in the zip file, which could later be used to output malicious entries to another compressed file or file system.

https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/IGPack2NpmConvertor.java#L442-L463

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-23T22:04:47Z"
}
References

Affected packages

Maven / org.hl7.fhir.publisher:org.hl7.fhir.publisher

Package

Name
org.hl7.fhir.publisher:org.hl7.fhir.publisher
View open source insights on deps.dev
Purl
pkg:maven/org.hl7.fhir.publisher/org.hl7.fhir.publisher

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.30

Affected versions

1.*

1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.1.10
1.1.11
1.1.12
1.1.13
1.1.14
1.1.15
1.1.16
1.1.17
1.1.18
1.1.19
1.1.20
1.1.21
1.1.22
1.1.23
1.1.24
1.1.25
1.1.26
1.1.27
1.1.28
1.1.29
1.1.30
1.1.31
1.1.32
1.1.33
1.1.34
1.1.35
1.1.36
1.1.37
1.1.38
1.1.39
1.1.40
1.1.41
1.1.42
1.1.43
1.1.44
1.1.45
1.1.46
1.1.47
1.1.48
1.1.50
1.1.51
1.1.124
1.1.125
1.1.126
1.1.127
1.1.128
1.1.129
1.1.130
1.1.131
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
1.2.12
1.2.13
1.2.14
1.2.15
1.2.16
1.2.17
1.2.18
1.2.19
1.2.20
1.2.21
1.2.22
1.2.23
1.2.24
1.2.25
1.2.26
1.2.27
1.2.28
1.2.29