Open jellisgwn opened 1 year ago
Note that the code path for this vulnerability is not used anywhere in HAPI FHIR - The "zip slip" vulnerability can only be exploited in code that is used to write NPM packages, and this is not used in the hapi-fhir library. However, we will be upgrading past this level shortly.
Work on upgrading core is in branch ja_20230124_bump_core
thanks for the update @jamesagnew.
The problem of have this issue open without resolved is to decision makers this is a critical cyber security this indicator and while this issue is open HAPI FHIR will be a risk to production environment.
see: https://ossindex.sonatype.org/vulnerability/CVE-2023-24057?component-type=maven&component-name=ca.uhn.hapi.fhir%2Forg.hl7.fhir.utilities
Uprgade FHIR Core Libraries to 5.6.92.