Lucene search

K
githubGitHub Advisory DatabaseGHSA-9654-PR4F-GH6M
HistoryMar 10, 2023 - 10:15 p.m.

HL7 FHIR Partial Path Zip Slip due to bypass of CVE-2023-24057

2023-03-1022:15:55
CWE-22
GitHub Advisory Database
github.com
92
fhir
zip slip
path traversal
vulnerability
file object
cve-2023-24057
java
patches
directory
sibling directory
libraries

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

69.7%

Impact

Zip Slip protections implemented in CVE-2023-24057 (GHSA-jqh6-9574-5x22) can be bypassed due a partial path traversal vulnerability.

This issue allows a malicious actor to potentially break out of the TerminologyCacheManager cache directory. The impact is limited to sibling directories.

To demonstrate the vulnerability, consider userControlled.getCanonicalPath().startsWith("/usr/out") will allow an attacker to access a directory with a name like /usr/outnot.

Why?

To demonstrate this vulnerability, consider "/usr/outnot".startsWith("/usr/out").
The check is bypassed although /outnot is not under the /out directory.
It’s important to understand that the terminating slash may be removed when using various String representations of the File object.
For example, on Linux, println(new File("/var")) will print /var, but println(new File("/var", "/") will print /var/;
however, println(new File("/var", "/").getCanonicalPath()) will print /var.

The Fix

Comparing paths with the java.nio.files.Path#startsWith will adequately protect againts this vulnerability.

For example: file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY) or file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY_FILE.getCanonicalFile().toPath())

Other Examples

Vulnerability

https://github.com/hapifhir/org.hl7.fhir.core/blob/b0daf666725fa14476d147522155af1e81922aac/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/TerminologyCacheManager.java#L99-L105

While getAbsolutePath will return a normalized path, because the string path is not slash terminated, the guard can be bypassed to write the contents of the Zip file to a sibling directory of the cache directory.

Patches

All org.hl7.fhir.core libraries should be updated to 5.6.106.

Workarounds

Unknown

References

Affected configurations

Vulners
Node
ca.uhn.hapi.fhirorg.hl7.fhir.validationRange<5.6.106
OR
ca.uhn.hapi.fhirorg.hl7.fhir.utilitiesRange<5.6.106
OR
ca.uhn.hapi.fhirorg.hl7.fhir.r5Range<5.6.106
OR
ca.uhn.hapi.fhirorg.hl7.fhir.r4bRange<5.6.106
OR
ca.uhn.hapi.fhirorg.hl7.fhir.convertorsRange<5.6.106
OR
ca.uhn.hapi.fhirorg.hl7.fhir.coreRange<5.6.106
VendorProductVersionCPE
ca.uhn.hapi.fhirorg.hl7.fhir.validation*cpe:2.3:a:ca.uhn.hapi.fhir:org.hl7.fhir.validation:*:*:*:*:*:*:*:*
ca.uhn.hapi.fhirorg.hl7.fhir.utilities*cpe:2.3:a:ca.uhn.hapi.fhir:org.hl7.fhir.utilities:*:*:*:*:*:*:*:*
ca.uhn.hapi.fhirorg.hl7.fhir.r5*cpe:2.3:a:ca.uhn.hapi.fhir:org.hl7.fhir.r5:*:*:*:*:*:*:*:*
ca.uhn.hapi.fhirorg.hl7.fhir.r4b*cpe:2.3:a:ca.uhn.hapi.fhir:org.hl7.fhir.r4b:*:*:*:*:*:*:*:*
ca.uhn.hapi.fhirorg.hl7.fhir.convertors*cpe:2.3:a:ca.uhn.hapi.fhir:org.hl7.fhir.convertors:*:*:*:*:*:*:*:*
ca.uhn.hapi.fhirorg.hl7.fhir.core*cpe:2.3:a:ca.uhn.hapi.fhir:org.hl7.fhir.core:*:*:*:*:*:*:*:*

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

69.7%