Lucene search

MitreCVE-2023-28465

HistoryDec 12, 2023 - 5:15 p.m.

CVE-2023-28465

2023-12-1217:15:07

CWE-22

mitre

web.nvd.nist.gov

3154

hl7

fhir core libraries

cve-2023-28465

security vulnerability

file copy

directory traversal

nvd

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.7

Confidence

High

EPSS

0.002

Percentile

61.6%

JSON

The package-decompression feature in HL7 (Health Level 7) FHIR Core Libraries before 5.6.106 allows attackers to copy arbitrary files to certain directories via directory traversal, if an allowed directory name is a substring of the directory name chosen by the attacker. NOTE: this issue exists because of an incomplete fix for CVE-2023-24057.

Affected configurations

Nvd

Node

hapifhirhl7_fhir_coreRange<5.6.106

VendorProductVersionCPE
hapifhirhl7_fhir_core*cpe:2.3:a:hapifhir:hl7_fhir_core:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
hapifhir	hl7_fhir_core	*	cpe:2.3:a:hapifhir:hl7_fhir_core::::::::

References

github.com/advisories/GHSA-9654-pr4f-gh6m

www.smilecdr.com/our-blog

www.smilecdr.com/our-blog/statement-on-cve-2023-24057-smile-digital-health

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.7

Confidence

High

EPSS

0.002

Percentile

61.6%

JSON

Related for CVE-2023-28465