Vulnerability Description
The package-decompression feature in HL7 (Health Level 7) FHIR Core Libraries before 5.6.106 allows attackers to copy arbitrary files to certain directories via directory traversal, if an allowed directory name is a substring of the directory name chosen by the attacker. NOTE: this issue exists because of an incomplete fix for CVE-2023-24057.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hapifhir | Hl7 Fhir Core | < 5.6.106 |
Related Weaknesses (CWE)
References
- https://github.com/advisories/GHSA-9654-pr4f-gh6mThird Party Advisory
- https://www.smilecdr.com/our-blogNot Applicable
- https://www.smilecdr.com/our-blog/statement-on-cve-2023-24057-smile-digital-healBroken Link
- https://github.com/advisories/GHSA-9654-pr4f-gh6mThird Party Advisory
- https://www.smilecdr.com/our-blogNot Applicable
- https://www.smilecdr.com/our-blog/statement-on-cve-2023-24057-smile-digital-healBroken Link
FAQ
What is CVE-2023-28465?
CVE-2023-28465 is a vulnerability with a CVSS score of 7.5 (HIGH). The package-decompression feature in HL7 (Health Level 7) FHIR Core Libraries before 5.6.106 allows attackers to copy arbitrary files to certain directories via directory traversal, if an allowed dire...
How severe is CVE-2023-28465?
CVE-2023-28465 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-28465?
Check the references section above for vendor advisories and patch information. Affected products include: Hapifhir Hl7 Fhir Core.