CVE-2023-28465: 
Java vulnerability analysis and mitigation

The package-decompression feature in HL7 (Health Level 7) FHIR Core Libraries before version 5.6.106 contains a directory traversal vulnerability. The issue was discovered in March 2023 and allows attackers to copy arbitrary files to certain directories if an allowed directory name is a substring of the directory name chosen by the attacker. This vulnerability exists due to an incomplete fix for a previous vulnerability (CVE-2023-24057) (GitHub Advisory, NVD).

The vulnerability stems from improper path validation in the TerminologyCacheManager. While getAbsolutePath returns a normalized path, because the string path is not slash terminated, the guard can be bypassed to write contents of a Zip file to a sibling directory of the cache directory. For example, userControlled.getCanonicalPath().startsWith('/usr/out') will allow access to a directory named '/usr/outnot'. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (GitHub Advisory, NVD).

The impact is limited to sibling directories of the cache directory. An attacker can potentially break out of the TerminologyCacheManager cache directory and write files to unauthorized locations, leading to potential information disclosure (GitHub Advisory).

The vulnerability has been fixed in version 5.6.106 of all org.hl7.fhir.core libraries. The fix involves using java.nio.files.Path#startsWith for path comparison, such as file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY) or file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY_FILE.getCanonicalFile().toPath()) (GitHub Advisory).