{
  "schema_version": "1.4.0",
  "id": "GHSA-xr8x-pxm6-prjg",
  "modified": "2023-01-23T22:04:47Z",
  "published": "2023-01-23T22:04:47Z",
  "aliases": [],
  "summary": " MITM based Zip Slip in `org.hl7.fhir.publisher:org.hl7.fhir.publisher`",
  "details": "### Impact\nMITM can enable Zip-Slip.\n\n### Vulnerability\n\n#### Vulnerability 1: `Publisher.java`\n\nThere is no validation that the zip file being unpacked has entries that are not maliciously writing outside of the intended destination directory.\n\nhttps://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/Publisher.java#L3598-L3610\n\n#### Vulnerability 2: `WebSourceProvider.java`\n\nThere is a check for malicious zip entries here, but it is not covered by test cases and could potentially be reverted in future changes.\n\nhttps://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/web/WebSourceProvider.java#L104-L112\n\n#### Vulnerability 3: `ZipFetcher.java`\n\nThis retains the path for Zip files in FetchedFile entries, which could later be used to output malicious entries to another compressed file or file system.\n\nhttps://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/ZipFetcher.java#L57-L106\n\n#### Vulnerability 4: `IGPack2NpmConvertor.java`\n\nThe loadZip method retains the path for entries in the zip file, which could later be used to output malicious entries to another compressed file or file system.\n\nhttps://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/IGPack2NpmConvertor.java#L442-L463\n\n",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.hl7.fhir.publisher:org.hl7.fhir.publisher"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.30"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-xr8x-pxm6-prjg"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/HL7/fhir-ig-publisher"
    }
  ],
  "database_specific": {
    "cwe_ids": [],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-23T22:04:47Z",
    "nvd_published_at": null
  }
}