GHSA-9654-PR4F-GH6M
Vulnerability from github – Published: 2023-03-10 22:15 – Updated: 2023-12-15 22:19Impact
Zip Slip protections implemented in CVE-2023-24057 (GHSA-jqh6-9574-5x22) can be bypassed due a partial path traversal vulnerability.
This issue allows a malicious actor to potentially break out of the TerminologyCacheManager cache directory. The impact is limited to sibling directories.
To demonstrate the vulnerability, consider userControlled.getCanonicalPath().startsWith("/usr/out") will allow an attacker to access a directory with a name like /usr/outnot.
Why?
To demonstrate this vulnerability, consider "/usr/outnot".startsWith("/usr/out").
The check is bypassed although /outnot is not under the /out directory.
It's important to understand that the terminating slash may be removed when using various String representations of the File object.
For example, on Linux, println(new File("/var")) will print /var, but println(new File("/var", "/") will print /var/;
however, println(new File("/var", "/").getCanonicalPath()) will print /var.
The Fix
Comparing paths with the java.nio.files.Path#startsWith will adequately protect againts this vulnerability.
For example: file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY) or file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY_FILE.getCanonicalFile().toPath())
Other Examples
- CVE-2022-31159 - aws/aws-sdk-java
- CVE-2022-23457 - ESAPI/esapi-java-legacy
Vulnerability
https://github.com/hapifhir/org.hl7.fhir.core/blob/b0daf666725fa14476d147522155af1e81922aac/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/TerminologyCacheManager.java#L99-L105
While getAbsolutePath will return a normalized path, because the string path is not slash terminated, the guard can be bypassed to write the contents of the Zip file to a sibling directory of the cache directory.
Patches
All org.hl7.fhir.core libraries should be updated to 5.6.106. - https://github.com/hapifhir/org.hl7.fhir.core/pull/1162
Workarounds
Unknown
References
- https://snyk.io/research/zip-slip-vulnerability
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.6.106"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.convertors"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.6.106"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4b"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.6.106"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.r5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.6.106"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.utilities"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.6.106"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.6.106"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-28465"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-10T22:15:55Z",
"nvd_published_at": "2023-12-12T17:15:07Z",
"severity": "HIGH"
},
"details": "### Impact\n\nZip Slip protections implemented in CVE-2023-24057 (GHSA-jqh6-9574-5x22) can be bypassed due a partial path traversal vulnerability.\n\nThis issue allows a malicious actor to potentially break out of the `TerminologyCacheManager` cache directory. The impact is limited to sibling directories.\n\nTo demonstrate the vulnerability, consider `userControlled.getCanonicalPath().startsWith(\"/usr/out\")` will allow an attacker to access a directory with a name like `/usr/outnot`. \n\n### Why?\n\nTo demonstrate this vulnerability, consider `\"/usr/outnot\".startsWith(\"/usr/out\")`.\nThe check is bypassed although `/outnot` is not under the `/out` directory.\nIt\u0027s important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.\nFor example, on Linux, `println(new File(\"/var\"))` will print `/var`, but `println(new File(\"/var\", \"/\")` will print `/var/`;\nhowever, `println(new File(\"/var\", \"/\").getCanonicalPath())` will print `/var`.\n\n### The Fix\n\nComparing paths with the `java.nio.files.Path#startsWith` will adequately protect againts this vulnerability.\n\nFor example: `file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY)` or `file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY_FILE.getCanonicalFile().toPath())`\n\n### Other Examples\n\n - [CVE-2022-31159](https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3) - aws/aws-sdk-java\n - [CVE-2022-23457](https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API/) - ESAPI/esapi-java-legacy\n\n### Vulnerability\n\nhttps://github.com/hapifhir/org.hl7.fhir.core/blob/b0daf666725fa14476d147522155af1e81922aac/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/TerminologyCacheManager.java#L99-L105\n\nWhile `getAbsolutePath` will return a normalized path, because the string `path` is not slash terminated, the guard can be bypassed to write the contents of the Zip file to a sibling directory of the cache directory.\n\n### Patches\nAll org.hl7.fhir.core libraries should be updated to 5.6.106.\n - https://github.com/hapifhir/org.hl7.fhir.core/pull/1162\n\n### Workarounds\nUnknown\n\n### References\n* https://snyk.io/research/zip-slip-vulnerability\n",
"id": "GHSA-9654-pr4f-gh6m",
"modified": "2023-12-15T22:19:57Z",
"published": "2023-03-10T22:15:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-9654-pr4f-gh6m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28465"
},
{
"type": "WEB",
"url": "https://github.com/hapifhir/org.hl7.fhir.core/pull/1162"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-9654-pr4f-gh6m"
},
{
"type": "PACKAGE",
"url": "https://github.com/hapifhir/org.hl7.fhir.core"
},
{
"type": "WEB",
"url": "https://github.com/hapifhir/org.hl7.fhir.core/blob/b0daf666725fa14476d147522155af1e81922aac/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/TerminologyCacheManager.java#L99-L105"
},
{
"type": "WEB",
"url": "https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/5.6.106"
},
{
"type": "WEB",
"url": "https://www.smilecdr.com/our-blog"
},
{
"type": "WEB",
"url": "https://www.smilecdr.com/our-blog/statement-on-cve-2023-24057-smile-digital-health"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "HL7 FHIR Partial Path Zip Slip due to bypass of CVE-2023-24057"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.