This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
{"id": "CVE-2023-28465", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2023-28465", "description": "This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.", "published": "2023-03-16T21:56:17", "modified": "2023-03-16T21:56:17", "cvss": {}, "cvss2": {}, "cvss3": {}, "href": "", "reporter": "candidate", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2023-03-16T21:56:17", "viewCount": 455, "enchantments": {"dependencies": {"references": [{"type": "github", "idList": ["GHSA-9654-PR4F-GH6M"]}, {"type": "osv", "idList": ["OSV:GHSA-9654-PR4F-GH6M"]}]}, "score": {"value": 1.5, "vector": "NONE"}, "vulnersScore": 1.5}, "_state": {"dependencies": 1679003874, "score": 1684018209, "epss": 1679362613}, "_internal": {"score_hash": "e7d99fd2b92d04de8e8d425b9e15fa7c"}, "cna_cvss": {}, "cpe": [], "cpe23": [], "cwe": [], "affectedSoftware": [], "affectedConfiguration": [], "cpeConfiguration": {}, "extraReferences": [], "product_info": [], "exploits": [], "problemTypes": []}
{"github": [{"lastseen": "2023-03-16T17:08:52", "description": "### Impact\n\nZip Slip protections implemented in CVE-2023-24057 (GHSA-jqh6-9574-5x22) can be bypassed due a partial path traversal vulnerability.\n\nThis issue allows a malicious actor to potentially break out of the `TerminologyCacheManager` cache directory. The impact is limited to sibling directories.\n\nTo demonstrate the vulnerability, consider `userControlled.getCanonicalPath().startsWith(\"/usr/out\")` will allow an attacker to access a directory with a name like `/usr/outnot`. \n\n### Why?\n\nTo demonstrate this vulnerability, consider `\"/usr/outnot\".startsWith(\"/usr/out\")`.\nThe check is bypassed although `/outnot` is not under the `/out` directory.\nIt's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.\nFor example, on Linux, `println(new File(\"/var\"))` will print `/var`, but `println(new File(\"/var\", \"/\")` will print `/var/`;\nhowever, `println(new File(\"/var\", \"/\").getCanonicalPath())` will print `/var`.\n\n### The Fix\n\nComparing paths with the `java.nio.files.Path#startsWith` will adequately protect againts this vulnerability.\n\nFor example: `file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY)` or `file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY_FILE.getCanonicalFile().toPath())`\n\n### Other Examples\n\n - [CVE-2022-31159](https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3) - aws/aws-sdk-java\n - [CVE-2022-23457](https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API/) - ESAPI/esapi-java-legacy\n\n### Vulnerability\n\nhttps://github.com/hapifhir/org.hl7.fhir.core/blob/b0daf666725fa14476d147522155af1e81922aac/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/TerminologyCacheManager.java#L99-L105\n\nWhile `getAbsolutePath` will return a normalized path, because the string `path` is not slash terminated, the guard can be bypassed to write the contents of the Zip file to a sibling directory of the cache directory.\n\n### Patches\nAll org.hl7.fhir.core libraries should be updated to 5.6.106.\n - https://github.com/hapifhir/org.hl7.fhir.core/pull/1162\n\n### Workarounds\nUnknown\n\n### References\n* https://snyk.io/research/zip-slip-vulnerability\n", "cvss3": {}, "published": "2023-03-10T22:15:55", "type": "github", "title": "HL7 FHIR Partial Path Zip Slip due to bypass of CVE-2023-24057", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-23457", "CVE-2022-31159", "CVE-2023-24057", "CVE-2023-28465"], "modified": "2023-03-16T16:23:58", "id": "GHSA-9654-PR4F-GH6M", "href": "https://github.com/advisories/GHSA-9654-pr4f-gh6m", "cvss": {"score": 0.0, "vector": "NONE"}}], "osv": [{"lastseen": "2023-04-11T01:31:11", "description": "### Impact\n\nZip Slip protections implemented in CVE-2023-24057 (GHSA-jqh6-9574-5x22) can be bypassed due a partial path traversal vulnerability.\n\nThis issue allows a malicious actor to potentially break out of the `TerminologyCacheManager` cache directory. The impact is limited to sibling directories.\n\nTo demonstrate the vulnerability, consider `userControlled.getCanonicalPath().startsWith(\"/usr/out\")` will allow an attacker to access a directory with a name like `/usr/outnot`. \n\n### Why?\n\nTo demonstrate this vulnerability, consider `\"/usr/outnot\".startsWith(\"/usr/out\")`.\nThe check is bypassed although `/outnot` is not under the `/out` directory.\nIt's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.\nFor example, on Linux, `println(new File(\"/var\"))` will print `/var`, but `println(new File(\"/var\", \"/\")` will print `/var/`;\nhowever, `println(new File(\"/var\", \"/\").getCanonicalPath())` will print `/var`.\n\n### The Fix\n\nComparing paths with the `java.nio.files.Path#startsWith` will adequately protect againts this vulnerability.\n\nFor example: `file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY)` or `file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY_FILE.getCanonicalFile().toPath())`\n\n### Other Examples\n\n - [CVE-2022-31159](https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3) - aws/aws-sdk-java\n - [CVE-2022-23457](https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API/) - ESAPI/esapi-java-legacy\n\n### Vulnerability\n\nhttps://github.com/hapifhir/org.hl7.fhir.core/blob/b0daf666725fa14476d147522155af1e81922aac/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/TerminologyCacheManager.java#L99-L105\n\nWhile `getAbsolutePath` will return a normalized path, because the string `path` is not slash terminated, the guard can be bypassed to write the contents of the Zip file to a sibling directory of the cache directory.\n\n### Patches\nAll org.hl7.fhir.core libraries should be updated to 5.6.106.\n - https://github.com/hapifhir/org.hl7.fhir.core/pull/1162\n\n### Workarounds\nUnknown\n\n### References\n* https://snyk.io/research/zip-slip-vulnerability\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-10T22:15:55", "type": "osv", "title": "HL7 FHIR Partial Path Zip Slip due to bypass of CVE-2023-24057", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-23457", "CVE-2022-31159", "CVE-2023-24057", "CVE-2023-28465"], "modified": "2023-04-11T01:30:56", "id": "OSV:GHSA-9654-PR4F-GH6M", "href": "https://osv.dev/vulnerability/GHSA-9654-pr4f-gh6m", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
CVE-2023-28465
