CVE-2023-28465

Name of the Vulnerable Software and Affected Versions HL7 FHIR Core Libraries versions prior to 5.6.106

Description The issue allows attackers to copy arbitrary files to certain directories via directory traversal, if an allowed directory name is a substring of the directory name chosen by the attacker. This is due to an incomplete fix for a previous issue.

Recommendations For versions prior to 5.6.106, update to version 5.6.106 or later to resolve the issue. As a temporary workaround, consider restricting access to the package-decompression feature to minimize the risk of exploitation.