{ "schema_version": "1.4.0", "id": "GHSA-9654-pr4f-gh6m", "modified": "2023-12-15T22:19:57Z", "published": "2023-03-10T22:15:55Z", "aliases": [ "CVE-2023-28465" ], "summary": "HL7 FHIR Partial Path Zip Slip due to bypass of CVE-2023-24057", "details": "### Impact\n\nZip Slip protections implemented in CVE-2023-24057 (GHSA-jqh6-9574-5x22) can be bypassed due a partial path traversal vulnerability.\n\nThis issue allows a malicious actor to potentially break out of the `TerminologyCacheManager` cache directory. The impact is limited to sibling directories.\n\nTo demonstrate the vulnerability, consider `userControlled.getCanonicalPath().startsWith(\"/usr/out\")` will allow an attacker to access a directory with a name like `/usr/outnot`. \n\n### Why?\n\nTo demonstrate this vulnerability, consider `\"/usr/outnot\".startsWith(\"/usr/out\")`.\nThe check is bypassed although `/outnot` is not under the `/out` directory.\nIt's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.\nFor example, on Linux, `println(new File(\"/var\"))` will print `/var`, but `println(new File(\"/var\", \"/\")` will print `/var/`;\nhowever, `println(new File(\"/var\", \"/\").getCanonicalPath())` will print `/var`.\n\n### The Fix\n\nComparing paths with the `java.nio.files.Path#startsWith` will adequately protect againts this vulnerability.\n\nFor example: `file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY)` or `file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY_FILE.getCanonicalFile().toPath())`\n\n### Other Examples\n\n - [CVE-2022-31159](https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3) - aws/aws-sdk-java\n - [CVE-2022-23457](https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API/) - ESAPI/esapi-java-legacy\n\n### Vulnerability\n\nhttps://github.com/hapifhir/org.hl7.fhir.core/blob/b0daf666725fa14476d147522155af1e81922aac/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/TerminologyCacheManager.java#L99-L105\n\nWhile `getAbsolutePath` will return a normalized path, because the string `path` is not slash terminated, the guard can be bypassed to write the contents of the Zip file to a sibling directory of the cache directory.\n\n### Patches\nAll org.hl7.fhir.core libraries should be updated to 5.6.106.\n - https://github.com/hapifhir/org.hl7.fhir.core/pull/1162\n\n### Workarounds\nUnknown\n\n### References\n* https://snyk.io/research/zip-slip-vulnerability\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "affected": [ { "package": { "ecosystem": "Maven", "name": "ca.uhn.hapi.fhir:org.hl7.fhir.core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.6.106" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "ca.uhn.hapi.fhir:org.hl7.fhir.convertors" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.6.106" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4b" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.6.106" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r5" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.6.106" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "ca.uhn.hapi.fhir:org.hl7.fhir.utilities" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.6.106" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.6.106" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-9654-pr4f-gh6m" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28465" }, { "type": "WEB", "url": "https://github.com/hapifhir/org.hl7.fhir.core/pull/1162" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-9654-pr4f-gh6m" }, { "type": "PACKAGE", "url": "https://github.com/hapifhir/org.hl7.fhir.core" }, { "type": "WEB", "url": "https://github.com/hapifhir/org.hl7.fhir.core/blob/b0daf666725fa14476d147522155af1e81922aac/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/TerminologyCacheManager.java#L99-L105" }, { "type": "WEB", "url": "https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/5.6.106" }, { "type": "WEB", "url": "https://www.smilecdr.com/our-blog" }, { "type": "WEB", "url": "https://www.smilecdr.com/our-blog/statement-on-cve-2023-24057-smile-digital-health" } ], "database_specific": { "cwe_ids": [ "CWE-22" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-03-10T22:15:55Z", "nvd_published_at": "2023-12-12T17:15:07Z" } }