CVE-2023-24057

Name of the Vulnerable Software and Affected Versions HL7 FHIR Core Libraries versions prior to 5.6.92

Description The issue allows attackers to extract files into arbitrary directories via directory traversal from a crafted ZIP or TGZ archive. This can be exploited through a Man-in-the-Middle (MITM) attack, enabling Zip-Slip. The vulnerability is due to insufficient validation of zip file entries, which can be maliciously crafted to write outside the intended destination directory. The Utilities.path(String... path) method does not properly normalize the path, making it possible to bypass guard logic. An attacker can control the return value of ze.getName() and supply a malicious value, or control the contents of the Zip file via a MITM attack.

Recommendations For versions prior to 5.6.92, update to version 5.6.92 or later to resolve the issue. As a temporary workaround, consider disabling the Scanner.java and TerminologyCacheManager.java functions until a patch is available. Restrict access to the vulnerable Utilities.path(String... path) method to minimize the risk of exploitation. Avoid using the ze.getName() function in the affected code until the issue is resolved.