9.1

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-xr8x-pxm6-prjg

EPSS Score

CWE

Published

1/23/2023

Updated

1/23/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-xr8x-pxm6-prjg

GHSA-xr8x-pxm6-prjg: MITM based Zip Slip in `org.hl7.fhir.publisher:org.hl7.fhir.publisher`

Impact

MITM can enable Zip-Slip.

Vulnerability

Vulnerability 1: `Publisher.java`

There is no validation that the zip file being unpacked has entries that are not maliciously writing outside of the intended destination directory.

https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/Publisher.java#L3598-L3610

Vulnerability 2: `WebSourceProvider.java`

There is a check for malicious zip entries here, but it is not covered by test cases and could potentially be reverted in future changes.

https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/web/WebSourceProvider.java#L104-L112

Vulnerability 3: `ZipFetcher.java`

This retains the path for Zip files in FetchedFile entries, which could later be used to output malicious entries to another compressed file or file system.

https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/ZipFetcher.java#L57-L106

Vulnerability 4: `IGPack2NpmConvertor.java`

The loadZip method retains the path for entries in the zip file, which could later be used to output malicious entries to another compressed file or file system.

https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/IGPack2NpmConvertor.java#L442-L463

(GitHub Advisory)

9.1

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-xr8x-pxm6-prjg

EPSS Score

CWE

Published

1/23/2023

Updated

1/23/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.hl7.fhir.publisher:org.hl7.fhir.publisher	maven	< 1.2.30	1.2.30

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient path validation during zip extraction or retention of unsanitized paths. Publisher.java directly writes entries using entry.getName() without checks. ZipFetcher.java retains paths in FetchedFile objects, propagating the risk to downstream operations. IGPack2NpmConvertor.java's loadZip method stores raw paths, creating a latent vulnerability. WebSourceProvider.java was excluded because it includes a check (though untested), making it non-vulnerable in its current state.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t MITM **n *n**l* Zip-Slip. ### Vuln*r**ility #### Vuln*r**ility *: `Pu*lis**r.j*v*` T**r* is no v*li**tion t**t t** zip *il* **in* unp**k** **s *ntri*s t**t *r* not m*li*iously writin* outsi** o* t** int*n*** **stin*tion *ir**tory. *ttp

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt p*t* v*li**tion *urin* zip *xtr**tion or r*t*ntion o* uns*nitiz** p*t*s. Pu*lis**r.j*v* *ir**tly writ*s *ntri*s usin* `*ntry.**tN*m*()` wit*out ****ks. Zip**t***r.j*v* r*t*ins p*t*s in **t*****il* o*j**ts, pr

9.1

Basic Information

Concerned about an active attack path?

GHSA-xr8x-pxm6-prjg: MITM based Zip Slip in `org.hl7.fhir.publisher:org.hl7.fhir.publisher`

Impact

Vulnerability

Vulnerability 1: Publisher.java

Vulnerability 2: WebSourceProvider.java

Vulnerability 3: ZipFetcher.java

Vulnerability 4: IGPack2NpmConvertor.java

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability 1: `Publisher.java`

Vulnerability 2: `WebSourceProvider.java`

Vulnerability 3: `ZipFetcher.java`

Vulnerability 4: `IGPack2NpmConvertor.java`

Vulnerability Intelligence
Miggo AI