Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-28465

Good to know:

icon
icon

Date: December 11, 2023

The package-decompression feature in HL7 (Health Level 7) FHIR Core Libraries before 5.6.106 allows attackers to copy arbitrary files to certain directories via directory traversal, if an allowed directory name is a substring of the directory name chosen by the attacker. NOTE: this issue exists because of an incomplete fix for CVE-2023-24057.

Language: Java

Severity Score

Related Resources (10)

https://github.com/hapifhir/org.hl7.fhir.core/pull/1162
https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/5.6.106
https://nvd.nist.gov/vuln/detail/CVE-2023-28465
https://github.com/advisories/GHSA-9654-pr4f-gh6m
https://github.com/hapifhir/org.hl7.fhir.core
https://github.com/hapifhir/org.hl7.fhir.core/blob/b0daf666725fa14476d147522155af1e81922aac/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/TerminologyCacheManager.java#L99-L105
https://www.smilecdr.com/our-blog/statement-on-cve-2023-24057-smile-digital-health
https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-9654-pr4f-gh6m
https://www.smilecdr.com/our-blog
https://www.mend.io/vulnerability-database/CVE-2023-28465

Severity Score

Weakness Type (CWE)

Path Traversal

CWE-22

Top Fix

icon

Upgrade Version

Upgrade to version ca.uhn.hapi.fhir:org.hl7.fhir.utilities:5.6.106, ca.uhn.hapi.fhir:org.hl7.fhir.validation:5.6.106, ca.uhn.hapi.fhir:org.hl7.fhir.r4b:5.6.106, ca.uhn.hapi.fhir:org.hl7.fhir.r5:5.6.106, ca.uhn.hapi.fhir:org.hl7.fhir.convertors:5.6.106

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us