{ "schema_version": "1.4.0", "id": "GHSA-jqh6-9574-5x22", "modified": "2025-04-01T23:06:23Z", "published": "2023-01-23T22:05:28Z", "aliases": [ "CVE-2023-24057" ], "summary": " MITM based Zip Slip in `ca.uhn.hapi.fhir:org.hl7.fhir.core`", "details": "### Impact\n\nMITM can enable Zip-Slip.\n\n### Vulnerability\n\n#### Vulnerability 1: `Scanner.java`\n\nThere is no validation that the zip file being unpacked has entries that are not maliciously writing outside of the intended destination directory.\nhttps://github.com/hapifhir/org.hl7.fhir.core/blob/8c43e21094af971303131efd081503e5a112db4b/org.hl7.fhir.validation/src/main/java/org/hl7/fhir/validation/Scanner.java#L335-L357\n\nThis zip archive is downloaded over HTTP instead of HTTPS, leaving it vulnerable to compromise in-flight.\nhttps://github.com/hapifhir/org.hl7.fhir.core/blob/8c43e21094af971303131efd081503e5a112db4b/org.hl7.fhir.validation/src/main/java/org/hl7/fhir/validation/Scanner.java#L136\n\n##### Vulnerability 2: `TerminologyCacheManager.java`\n\n**Note:** While these links point to only one implementation, both implementations of `TerminologyCacheManager.java` are vulnerable to this as their code seems to be duplicated.\n - https://github.com/hapifhir/org.hl7.fhir.core/blob/f58b7acfb5e393cac52cc5bbb170bdb669c2880e/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/terminologies/TerminologyCacheManager.java\n - https://github.com/hapifhir/org.hl7.fhir.core/blob/f58b7acfb5e393cac52cc5bbb170bdb669c2880e/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/TerminologyCacheManager.java\n\nWhile there is validation in this bit of logic that attempts to validate that the zip file doesn't contain malicious entries that escape the destination directory, the guard is insufficient.\n\nhttps://github.com/hapifhir/org.hl7.fhir.core/blob/f58b7acfb5e393cac52cc5bbb170bdb669c2880e/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/terminologies/TerminologyCacheManager.java#L97-L113\n\nThis is because the `Utilities.path(String... path)` method does not normalize the path, although it seems to be attempting to do so.\nhttps://github.com/hapifhir/org.hl7.fhir.core/blob/f58b7acfb5e393cac52cc5bbb170bdb669c2880e/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/Utilities.java#L617-L675\n\nThe normalization only occurs if the path element starts with a path traversal payload. As an example, calling `Utilities.path(\"/base\", \"/child/../test\")` will return the string `\"/base/child/../test\"`.\n\nThis guard logic can, thus, be easily bypassed:\nhttps://github.com/hapifhir/org.hl7.fhir.core/blob/f58b7acfb5e393cac52cc5bbb170bdb669c2880e/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/terminologies/TerminologyCacheManager.java#L100-L104\n\nAssuming an attacker can control the return value of `ze.getName()`, they can supply a value like `/anything/../../../../zipsip-protection-bypass.txt`.\n\nSimilarly, an attacker can control the contents of the Zip file via a MITM attack as this logic is used with resources not downloaded over HTTPS.\n\nhttps://github.com/hapifhir/org.hl7.fhir.core/blob/f58b7acfb5e393cac52cc5bbb170bdb669c2880e/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/terminologies/TerminologyCacheManager.java#L66-L73\n\n\n### Patches\nUnknown\n\n### Workarounds\nUnknown\n\n### References\n\n - https://snyk.io/research/zip-slip-vulnerability", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" } ], "affected": [ { "package": { "ecosystem": "Maven", "name": "ca.uhn.hapi.fhir:org.hl7.fhir.core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.6.92" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "ca.uhn.hapi.fhir:org.hl7.fhir.convertors" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.6.92" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4b" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.6.92" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r5" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.6.92" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "ca.uhn.hapi.fhir:org.hl7.fhir.utilities" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.6.92" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.6.92" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-xr8x-pxm6-prjg" }, { "type": "WEB", "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-jqh6-9574-5x22" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24057" }, { "type": "WEB", "url": "https://github.com/hapifhir/org.hl7.fhir.core/commit/b50aec59124416b7315a49220cfc3999223414cc" }, { "type": "PACKAGE", "url": "https://github.com/hapifhir/org.hl7.fhir.core" } ], "database_specific": { "cwe_ids": [ "CWE-22" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2023-01-23T22:05:28Z", "nvd_published_at": "2023-01-26T21:18:00Z" } }