An open API service providing security vulnerability metadata for many open source software ecosystems.

Advisories: GSA_kwCzR0hTQS1qcWg2LTk1NzQtNXgyMs4AAxIl

MITM based Zip Slip in `ca.uhn.hapi.fhir:org.hl7.fhir.core`


MITM can enable Zip-Slip.


Vulnerability 1:

There is no validation that the zip file being unpacked has entries that are not maliciously writing outside of the intended destination directory.

This zip archive is downloaded over HTTP instead of HTTPS, leaving it vulnerable to compromise in-flight.

Vulnerability 2:

Note: While these links point to only one implementation, both implementations of are vulnerable to this as their code seems to be duplicated.

While there is validation in this bit of logic that attempts to validate that the zip file doesn't contain malicious entries that escape the destination directory, the guard is insufficient.

This is because the Utilities.path(String... path) method does not normalize the path, although it seems to be attempting to do so.

The normalization only occurs if the path element starts with a path traversal payload. As an example, calling Utilities.path("/base", "/child/../test") will return the string "/base/child/../test".

This guard logic can, thus, be easily bypassed:

Assuming an attacker can control the return value of ze.getName(), they can supply a value like /anything/../../../../zipsip-protection-bypass.txt.

Similarly, an attacker can control the contents of the Zip file via a MITM attack as this logic is used with resources not downloaded over HTTPS.


Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 12 days ago
Updated: 9 days ago

CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Identifiers: GHSA-jqh6-9574-5x22, CVE-2023-24057

Affected Packages

Versions: < 5.6.92
Fixed in: 5.6.92