CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
69.7%
Zip Slip protections implemented in CVE-2023-24057 (GHSA-jqh6-9574-5x22) can be bypassed due a partial path traversal vulnerability.
This issue allows a malicious actor to potentially break out of the TerminologyCacheManager
cache directory. The impact is limited to sibling directories.
To demonstrate the vulnerability, consider userControlled.getCanonicalPath().startsWith("/usr/out")
will allow an attacker to access a directory with a name like /usr/outnot
.
To demonstrate this vulnerability, consider "/usr/outnot".startsWith("/usr/out")
.
The check is bypassed although /outnot
is not under the /out
directory.
It’s important to understand that the terminating slash may be removed when using various String
representations of the File
object.
For example, on Linux, println(new File("/var"))
will print /var
, but println(new File("/var", "/")
will print /var/
;
however, println(new File("/var", "/").getCanonicalPath())
will print /var
.
Comparing paths with the java.nio.files.Path#startsWith
will adequately protect againts this vulnerability.
For example: file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY)
or file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY_FILE.getCanonicalFile().toPath())
While getAbsolutePath
will return a normalized path, because the string path
is not slash terminated, the guard can be bypassed to write the contents of the Zip file to a sibling directory of the cache directory.
All org.hl7.fhir.core libraries should be updated to 5.6.106.
Unknown
Vendor | Product | Version | CPE |
---|---|---|---|
ca.uhn.hapi.fhir | org.hl7.fhir.validation | * | cpe:2.3:a:ca.uhn.hapi.fhir:org.hl7.fhir.validation:*:*:*:*:*:*:*:* |
ca.uhn.hapi.fhir | org.hl7.fhir.utilities | * | cpe:2.3:a:ca.uhn.hapi.fhir:org.hl7.fhir.utilities:*:*:*:*:*:*:*:* |
ca.uhn.hapi.fhir | org.hl7.fhir.r5 | * | cpe:2.3:a:ca.uhn.hapi.fhir:org.hl7.fhir.r5:*:*:*:*:*:*:*:* |
ca.uhn.hapi.fhir | org.hl7.fhir.r4b | * | cpe:2.3:a:ca.uhn.hapi.fhir:org.hl7.fhir.r4b:*:*:*:*:*:*:*:* |
ca.uhn.hapi.fhir | org.hl7.fhir.convertors | * | cpe:2.3:a:ca.uhn.hapi.fhir:org.hl7.fhir.convertors:*:*:*:*:*:*:*:* |
ca.uhn.hapi.fhir | org.hl7.fhir.core | * | cpe:2.3:a:ca.uhn.hapi.fhir:org.hl7.fhir.core:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-9654-pr4f-gh6m
github.com/hapifhir/org.hl7.fhir.core/blob/b0daf666725fa14476d147522155af1e81922aac/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/TerminologyCacheManager.java#L99-L105
github.com/hapifhir/org.hl7.fhir.core/pull/1162
github.com/hapifhir/org.hl7.fhir.core/releases/tag/5.6.106
github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-9654-pr4f-gh6m
nvd.nist.gov/vuln/detail/CVE-2023-28465
www.smilecdr.com/our-blog
www.smilecdr.com/our-blog/statement-on-cve-2023-24057-smile-digital-health
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
69.7%