CVE-2023-28465: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

December 12, 2023 (updated December 15, 2023)

The package-decompression feature in HL7 (Health Level 7) FHIR Core Libraries before 5.6.106 allows attackers to copy arbitrary files to certain directories via directory traversal, if an allowed directory name is a substring of the directory name chosen by the attacker. NOTE: this issue exists because of an incomplete fix for CVE-2023-24057.

References

github.com/advisories/GHSA-9654-pr4f-gh6m
nvd.nist.gov/vuln/detail/CVE-2023-28465
www.smilecdr.com/our-blog
www.smilecdr.com/our-blog/statement-on-cve-2023-24057-smile-digital-health

Code Behaviors & Features

Detect and mitigate CVE-2023-28465 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →