10 matches found
Directory traversal
The package-decompression feature in HL7 Health Level 7 FHIR Core Libraries before 5.6.106 allows attackers to copy arbitrary files to certain directories via directory traversal, if an allowed directory name is a substring of the directory name chosen by the attacker. NOTE: this issue exists...
Path Traversal
org.hl7.fhir.r4b is vulnerable to Path Traversal. The vulnerability exists in the unzip function of TerminologyCacheManager.java, which allows an attacker to access files outside the expected directory bypassing the zip slip protection implemented in the CVE-2023-24057...
HL7 FHIR Partial Path Zip Slip due to bypass of CVE-2023-24057
Impact Zip Slip protections implemented in CVE-2023-24057 GHSA-jqh6-9574-5x22 can be bypassed due a partial path traversal vulnerability. This issue allows a malicious actor to potentially break out of the TerminologyCacheManager cache directory. The impact is limited to sibling directories. To...
CVE-2023-24057
HL7 Health Level 7 FHIR Core Libraries before 5.6.92 allow attackers to extract files into arbitrary directories via directory traversal from a crafted ZIP or TGZ archive for a prepackaged terminology cache, NPM package, or comparison archive...
CVE-2023-24057
HL7 FHIR Core Libraries are affected by a directory-traversal issue in package-decompression. Affected: versions prior to 5.6.106 (per PT-2023-21736); earlier notes reference 5.6.92. Root cause: extraction of archives (ZIP/TGZ) can write files to arbitrary directories. Mitigation: upgrade to 5.6....
ca.uhn.hapi.fhir:hapi-fhir-cli-api (>=4.0.0 <=6.4.0), ca.uhn.hapi.fhir:hapi-fhir-cli-app (>=5.6.5 <=6.4.0) +164 more potentially affected by CVE-2023-24057 via ca.uhn.hapi.fhir:org.hl7.fhir.r5 (>=0.0.1 <=5.6.91)
ca.uhn.hapi.fhir:org.hl7.fhir.r5 MAVEN version =0.0.1, =4.0.0, =5.6.5, =4.1.0, =4.0.3, =4.1.0, =4.0.0, =5.0.0, =4.0.0, =5.3.0, =6.2.0, =5.1.0, =5.3.0, =4.0.0, =4.1.0, =6.4.0 and more Source cves: CVE-2023-24057 Source advisory: OSV:GHSA-JQH6-9574-5X22...
ca.uhn.hapi.fhir:hapi-fhir-cli-api (>=4.0.0 <=6.4.0), ca.uhn.hapi.fhir:hapi-fhir-cli-app (>=5.6.5 <=6.4.0) +139 more potentially affected by CVE-2023-24057 via ca.uhn.hapi.fhir:org.hl7.fhir.convertors (>=0.0.1 <=5.6.91)
ca.uhn.hapi.fhir:org.hl7.fhir.convertors MAVEN version =0.0.1, =4.0.0, =5.6.5, =4.1.0, =4.0.0, =4.1.0, =4.0.0, =5.0.0, =4.0.0, =5.3.0, =6.2.0, =5.1.0, =5.3.0, =4.0.0, =4.0.0, =6.4.0 and more Source cves: CVE-2023-24057 Source advisory: OSV:GHSA-JQH6-9574-5X22...
au.csiro.pathling:encoders (>=5.1.0 <=6.1.4), au.csiro.pathling:fhir-server (>=5.3.1 <=6.1.4) +224 more potentially affected by CVE-2023-24057 via ca.uhn.hapi.fhir:org.hl7.fhir.utilities (>=0.0.1 <=5.6.91)
ca.uhn.hapi.fhir:org.hl7.fhir.utilities MAVEN version =0.0.1, =5.1.0, =5.3.1, =5.3.1, =5.3.1, =5.3.0, =0.0.9, =5.6.5, =5.6.5, =5.6.5, =4.0.0, =5.6.5, =4.1.0, =4.0.3, =4.1.0, =4.0.0, =5.2.1 and more Source cves: CVE-2023-24057 Source advisory: OSV:GHSA-JQH6-9574-5X22...
ca.uhn.hapi.fhir:hapi-fhir-cli-api (>=4.0.0 <=6.4.0), ca.uhn.hapi.fhir:hapi-fhir-cli-app (>=5.6.5 <=6.4.0) +133 more potentially affected by CVE-2023-24057 via ca.uhn.hapi.fhir:org.hl7.fhir.validation (>=1.0.0 <=5.6.91)
ca.uhn.hapi.fhir:org.hl7.fhir.validation MAVEN version =1.0.0, =4.0.0, =5.6.5, =4.1.0, =4.1.0, =4.0.0, =5.0.0, =4.0.0, =5.3.0, =6.2.0, =5.1.0, =5.3.0, =4.0.0, =4.0.0, =4.0.0, =5.4.0 and more Source cves: CVE-2023-24057 Source advisory: OSV:GHSA-JQH6-9574-5X22...
io.connectedhealth-idaas:idaas-eventbuilder (=2.3.0) potentially affected by CVE-2023-24057 via ca.uhn.hapi.fhir:org.hl7.fhir.core (=5.1.7)
ca.uhn.hapi.fhir:org.hl7.fhir.core MAVEN version =5.1.7 is affected by a known vulnerability. The following packages have a transitive dependency on ca.uhn.hapi.fhir:org.hl7.fhir.core and may be impacted: - io.connectedhealth-idaas:idaas-eventbuilder =2.3.0 Source cves: CVE-2023-24057 Source...