HL7 (Health Level 7) FHIR Core Libraries before 5.6.92 allow attackers to extract files into arbitrary directories via directory traversal from a crafted ZIP or TGZ archive (for a prepackaged terminology cache, NPM package, or comparison archive).
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| ca.uhn.hapi.fhir:org.hl7.fhir.core(Maven) | 0 | 5.6.92 | N/A |
| ca.uhn.hapi.fhir:org.hl7.fhir.convertors(Maven) | 0 | 5.6.92 | N/A |
| ca.uhn.hapi.fhir:org.hl7.fhir.r4b(Maven) | 0 | 5.6.92 | N/A |
| ca.uhn.hapi.fhir:org.hl7.fhir.r5(Maven) | 0 | 5.6.92 | N/A |
| ca.uhn.hapi.fhir:org.hl7.fhir.utilities(Maven) | 0 | 5.6.92 | N/A |
| ca.uhn.hapi.fhir:org.hl7.fhir.validation(Maven) | 0 | 5.6.92 | N/A |
CVSS Metrics
