CVE-2023-28465 – This vulnerability in HL7 FHIR Core Libraries a... (How to Fix)

Q: What is the severity of CVE-2023-28465?

CVE-2023-28465 has a CVSS score of 7.5 (HIGH). This vulnerability in HL7 FHIR Core Libraries allows attackers to perform directory traversal during package decompression, enabling arbitrary file writes to specific directories. It affects systems using vulnerable versions of the FHIR libraries for healthcare data exchange. This is an incomplete fix for CVE-2023-24057.

📋 TL;DR

This vulnerability in HL7 FHIR Core Libraries allows attackers to perform directory traversal during package decompression, enabling arbitrary file writes to specific directories. It affects systems using vulnerable versions of the FHIR libraries for healthcare data exchange. This is an incomplete fix for CVE-2023-24057.

💻 Affected Systems

Products:

HL7 FHIR Core Libraries
Smile Digital Health products using FHIR libraries

Versions: Versions before 5.6.106

Operating Systems: All platforms running vulnerable FHIR libraries

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems using package decompression feature in FHIR libraries. Healthcare systems using FHIR for data exchange are particularly at risk.

📦 What is this software?

Hl7 Fhir Core by Hapifhir

View all CVEs affecting Hl7 Fhir Core →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could overwrite critical system files, install malware, or achieve remote code execution by writing executable files to directories accessible by the application.

🟠

Likely Case

Attackers could write malicious files to application directories, potentially leading to data manipulation, privilege escalation, or persistence mechanisms.

🟢

If Mitigated

With proper input validation and directory restrictions, impact is limited to controlled directories with minimal system access.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to trigger package decompression with malicious input. The vulnerability is a directory traversal bypass of previous fixes.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.6.106

Vendor Advisory: https://github.com/advisories/GHSA-9654-pr4f-gh6m

Restart Required: Yes

Instructions:

1. Update HL7 FHIR Core Libraries to version 5.6.106 or later. 2. Update any dependent applications using these libraries. 3. Restart affected services.

🔧 Temporary Workarounds

Disable package decompression

all

Temporarily disable the vulnerable package decompression feature if not required

Configure application to disable FHIR package decompression functionality

Restrict file system access

linux

Limit application permissions to only necessary directories

chmod 750 /path/to/application/directories
setfacl -m u:appuser:rx /path/to/restricted/dirs

🧯 If You Can't Patch

Implement strict input validation for all decompression operations
Deploy application in containerized environment with restricted file system access

🔍 How to Verify

Check if Vulnerable:

Check FHIR library version in application dependencies or pom.xml for versions <5.6.106

Check Version:

Check application dependency files or run: java -cp fhir-core.jar org.hl7.fhir.utilities.VersionUtilities

Verify Fix Applied:

Verify FHIR library version is 5.6.106 or later and test package decompression with malicious paths

📡 Detection & Monitoring

Log Indicators:

Unusual file write operations in application logs
Failed directory traversal attempts in security logs
Multiple decompression operations with unusual paths

Network Indicators:

Unusual FHIR package uploads with path traversal patterns
Suspicious file transfer activity following package uploads

SIEM Query:

source="application.log" AND ("directory traversal" OR "path traversal" OR "../" OR "..\") AND "decompress"

📊 Metadata

CVE ID: CVE-2023-28465

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: December 12, 2023

Last Updated: May 27, 2025

🔗 References

https://github.com/advisories/GHSA-9654-pr4f-gh6m Third Party Advisory
https://www.smilecdr.com/our-blog Not Applicable
https://www.smilecdr.com/our-blog/statement-on-cve-2023-24057-smile-digital-health Broken Link
https://github.com/advisories/GHSA-9654-pr4f-gh6m Third Party Advisory
https://www.smilecdr.com/our-blog Not Applicable
https://www.smilecdr.com/our-blog/statement-on-cve-2023-24057-smile-digital-health Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28465, you might also want to check these: