Home > Vulnerability Database > CVE-2023-28465

Mend.io Vulnerability Database

CVE-2023-28465

Good to know:

Date: December 12, 2023

The package-decompression feature in HL7 (Health Level 7) FHIR Core Libraries before 5.6.106 allows attackers to copy arbitrary files to certain directories via directory traversal, if an allowed directory name is a substring of the directory name chosen by the attacker. NOTE: this issue exists because of an incomplete fix for CVE-2023-24057.

Language: Java

Severity Score

7.5

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-28465

Url: https://github.com/advisories/GHSA-9654-pr4f-gh6m

Url: https://www.smilecdr.com/our-blog/statement-on-cve-2023-24057-smile-digital-health

Url: https://www.smilecdr.com/our-blog

Url: https://github.com/hapifhir/org.hl7.fhir.core/commit/909f7e64fea6532a00b3eb8904bf620fc3cae6d1

Url: https://www.mend.io/vulnerability-database/CVE-2023-28465

Severity Score

7.5

Weakness Type (CWE)

Path Traversal

CWE-22

Top Fix

Upgrade Version

Upgrade to version ca.uhn.hapi.fhir:org.hl7.fhir.utilities:5.6.106, ca.uhn.hapi.fhir:org.hl7.fhir.validation:5.6.106, ca.uhn.hapi.fhir:org.hl7.fhir.r4b:5.6.106, ca.uhn.hapi.fhir:org.hl7.fhir.r5:5.6.106, ca.uhn.hapi.fhir:org.hl7.fhir.convertors:5.6.106

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-28465

Good to know:

Date: December 12, 2023

Language: Java

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?