An open API service providing security vulnerability metadata for many open source software ecosystems.
MITM based Zip Slip in `org.hl7.fhir.publisher:org.hl7.fhir.publisher`
MITM can enable Zip-Slip.
There is no validation that the zip file being unpacked has entries that are not maliciously writing outside of the intended destination directory.
There is a check for malicious zip entries here, but it is not covered by test cases and could potentially be reverted in future changes.
This retains the path for Zip files in FetchedFile entries, which could later be used to output malicious entries to another compressed file or file system.
The loadZip method retains the path for entries in the zip file, which could later be used to output malicious entries to another compressed file or file system.https://github.com/advisories/GHSA-xr8x-pxm6-prjg
Source: GitHub Advisory Database
Published: 12 days ago
Updated: 12 days ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Fixed in: 1.2.30