The package-decompression feature in HL7 (Health Level 7) FHIR Core Libraries before 5.6.106 allows attackers to copy arbitrary files to certain directories via directory traversal, if an allowed directory name is a substring of the directory name chosen by the attacker. NOTE: this issue exists because of an incomplete fix for CVE-2023-24057.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| ca.uhn.hapi.fhir:org.hl7.fhir.core(Maven) | 0 | 5.6.106 | N/A |
| ca.uhn.hapi.fhir:org.hl7.fhir.convertors(Maven) | 0 | 5.6.106 | N/A |
| ca.uhn.hapi.fhir:org.hl7.fhir.r4b(Maven) | 0 | 5.6.106 | N/A |
| ca.uhn.hapi.fhir:org.hl7.fhir.r5(Maven) | 0 | 5.6.106 | N/A |
| ca.uhn.hapi.fhir:org.hl7.fhir.utilities(Maven) | 0 | 5.6.106 | N/A |
| ca.uhn.hapi.fhir:org.hl7.fhir.validation(Maven) | 0 | 5.6.106 | N/A |
CVSS Metrics
