Critical Security Vulnerability in FHIR Core Libraries (CVE-2023-24057)

hapifhir / hapi-fhir

🔥 HAPI FHIR - Java API for HL7 FHIR Clients and Servers

http://hapifhir.io

Apache License 2.0

2.01k stars 1.31k forks source link

Critical Security Vulnerability in FHIR Core Libraries (CVE-2023-24057) #4480

Open jellisgwn opened 1 year ago

jellisgwn commented 1 year ago

HL7 (Health Level 7) FHIR Core Libraries before 5.6.92 allow attackers to extract files into arbitrary directories via directory traversal from a crafted ZIP or TGZ archive (for a prepackaged terminology cache, NPM package, or comparison archive). CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

see: https://ossindex.sonatype.org/vulnerability/CVE-2023-24057?component-type=maven&component-name=ca.uhn.hapi.fhir%2Forg.hl7.fhir.utilities

Uprgade FHIR Core Libraries to 5.6.92.

jamesagnew commented 1 year ago

Note that the code path for this vulnerability is not used anywhere in HAPI FHIR - The "zip slip" vulnerability can only be exploited in code that is used to write NPM packages, and this is not used in the hapi-fhir library. However, we will be upgrading past this level shortly.

Work on upgrading core is in branch ja_20230124_bump_core

jellisgwn commented 1 year ago

thanks for the update @jamesagnew.

alejosv commented 9 months ago

The problem of have this issue open without resolved is to decision makers this is a critical cyber security this indicator and while this issue is open HAPI FHIR will be a risk to production environment.