Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14cjh4LXB4bTYtcHJqZ84AAxIj
MITM based Zip Slip in `org.hl7.fhir.publisher:org.hl7.fhir.publisher`
Impact
MITM can enable Zip-Slip.
Vulnerability
Publisher.java
Vulnerability 1: There is no validation that the zip file being unpacked has entries that are not maliciously writing outside of the intended destination directory.
WebSourceProvider.java
Vulnerability 2: There is a check for malicious zip entries here, but it is not covered by test cases and could potentially be reverted in future changes.
ZipFetcher.java
Vulnerability 3: This retains the path for Zip files in FetchedFile entries, which could later be used to output malicious entries to another compressed file or file system.
IGPack2NpmConvertor.java
Vulnerability 4: The loadZip method retains the path for entries in the zip file, which could later be used to output malicious entries to another compressed file or file system.
Permalink: https://github.com/advisories/GHSA-xr8x-pxm6-prjgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14cjh4LXB4bTYtcHJqZ84AAxIj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Identifiers: GHSA-xr8x-pxm6-prjg
References:
- https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-xr8x-pxm6-prjg
- https://github.com/advisories/GHSA-xr8x-pxm6-prjg
Affected Packages
maven:org.hl7.fhir.publisher:org.hl7.fhir.publisher
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.2.30
Fixed in: 1.2.30
All affected versions: 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.1.12, 1.1.13, 1.1.14, 1.1.15, 1.1.16, 1.1.17, 1.1.18, 1.1.19, 1.1.20, 1.1.21, 1.1.22, 1.1.23, 1.1.24, 1.1.25, 1.1.26, 1.1.27, 1.1.28, 1.1.29, 1.1.30, 1.1.31, 1.1.32, 1.1.33, 1.1.34, 1.1.35, 1.1.36, 1.1.37, 1.1.38, 1.1.39, 1.1.40, 1.1.41, 1.1.42, 1.1.43, 1.1.44, 1.1.45, 1.1.46, 1.1.47, 1.1.48, 1.1.50, 1.1.51, 1.1.124, 1.1.125, 1.1.126, 1.1.127, 1.1.128, 1.1.129, 1.1.130, 1.1.131, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12, 1.2.13, 1.2.14, 1.2.15, 1.2.16, 1.2.17, 1.2.18, 1.2.19, 1.2.20, 1.2.21, 1.2.22, 1.2.23, 1.2.24, 1.2.25, 1.2.26, 1.2.27, 1.2.28, 1.2.29
All unaffected versions: 1.2.30, 1.2.31, 1.2.32, 1.2.33, 1.2.34, 1.2.35, 1.2.36, 1.2.37, 1.2.38, 1.2.39, 1.2.40, 1.2.41, 1.2.42, 1.2.43, 1.2.44, 1.2.45, 1.2.46, 1.2.47, 1.2.48, 1.2.49, 1.2.50, 1.2.51, 1.2.52, 1.2.53, 1.2.54, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.3.11, 1.3.12, 1.3.13, 1.3.14, 1.3.15, 1.3.16, 1.3.17, 1.3.18, 1.3.19, 1.3.20, 1.3.21, 1.3.22, 1.3.23, 1.3.24, 1.3.25, 1.3.26, 1.3.27, 1.3.28, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.4.15, 1.4.16, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.10, 1.5.11, 1.5.12, 1.5.13, 1.5.14, 1.5.15, 1.5.16, 1.6.0, 1.6.1