GHSA-XR8X-PXM6-PRJG

Vulnerability from github – Published: 2023-01-23 22:04 – Updated: 2023-01-23 22:04
VLAI
Summary
MITM based Zip Slip in `org.hl7.fhir.publisher:org.hl7.fhir.publisher`
Details

Impact

MITM can enable Zip-Slip.

Vulnerability

Vulnerability 1: Publisher.java

There is no validation that the zip file being unpacked has entries that are not maliciously writing outside of the intended destination directory.

https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/Publisher.java#L3598-L3610

Vulnerability 2: WebSourceProvider.java

There is a check for malicious zip entries here, but it is not covered by test cases and could potentially be reverted in future changes.

https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/web/WebSourceProvider.java#L104-L112

Vulnerability 3: ZipFetcher.java

This retains the path for Zip files in FetchedFile entries, which could later be used to output malicious entries to another compressed file or file system.

https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/ZipFetcher.java#L57-L106

Vulnerability 4: IGPack2NpmConvertor.java

The loadZip method retains the path for entries in the zip file, which could later be used to output malicious entries to another compressed file or file system.

https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/IGPack2NpmConvertor.java#L442-L463

Severity
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.hl7.fhir.publisher:org.hl7.fhir.publisher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.30"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-23T22:04:47Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\nMITM can enable Zip-Slip.\n\n### Vulnerability\n\n#### Vulnerability 1: `Publisher.java`\n\nThere is no validation that the zip file being unpacked has entries that are not maliciously writing outside of the intended destination directory.\n\nhttps://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/Publisher.java#L3598-L3610\n\n#### Vulnerability 2: `WebSourceProvider.java`\n\nThere is a check for malicious zip entries here, but it is not covered by test cases and could potentially be reverted in future changes.\n\nhttps://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/web/WebSourceProvider.java#L104-L112\n\n#### Vulnerability 3: `ZipFetcher.java`\n\nThis retains the path for Zip files in FetchedFile entries, which could later be used to output malicious entries to another compressed file or file system.\n\nhttps://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/ZipFetcher.java#L57-L106\n\n#### Vulnerability 4: `IGPack2NpmConvertor.java`\n\nThe loadZip method retains the path for entries in the zip file, which could later be used to output malicious entries to another compressed file or file system.\n\nhttps://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/IGPack2NpmConvertor.java#L442-L463\n\n",
  "id": "GHSA-xr8x-pxm6-prjg",
  "modified": "2023-01-23T22:04:47Z",
  "published": "2023-01-23T22:04:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-xr8x-pxm6-prjg"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/HL7/fhir-ig-publisher"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": " MITM based Zip Slip in `org.hl7.fhir.publisher:org.hl7.fhir.publisher`"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.