logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-xr8x-pxm6-prjg org.hl7.fhir.publisher:org.hl7.fhir.publisher

Package

Manager: maven
Name: org.hl7.fhir.publisher:org.hl7.fhir.publisher
Vulnerable Version: >=0 <1.2.30

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: N/A pctlN/A

Details

MITM based Zip Slip in `org.hl7.fhir.publisher:org.hl7.fhir.publisher` ### Impact MITM can enable Zip-Slip. ### Vulnerability #### Vulnerability 1: `Publisher.java` There is no validation that the zip file being unpacked has entries that are not maliciously writing outside of the intended destination directory. https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/Publisher.java#L3598-L3610 #### Vulnerability 2: `WebSourceProvider.java` There is a check for malicious zip entries here, but it is not covered by test cases and could potentially be reverted in future changes. https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/web/WebSourceProvider.java#L104-L112 #### Vulnerability 3: `ZipFetcher.java` This retains the path for Zip files in FetchedFile entries, which could later be used to output malicious entries to another compressed file or file system. https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/ZipFetcher.java#L57-L106 #### Vulnerability 4: `IGPack2NpmConvertor.java` The loadZip method retains the path for entries in the zip file, which could later be used to output malicious entries to another compressed file or file system. https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/IGPack2NpmConvertor.java#L442-L463

Metadata

Created: 2023-01-23T22:04:47Z
Modified: 2023-01-23T22:04:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-xr8x-pxm6-prjg/GHSA-xr8x-pxm6-prjg.json
CWE IDs: []
Alternative ID: N/A
Finding: F063
Auto approve: 1