CVE-2023-28465 Overview
CVE-2023-28465 is a directory traversal vulnerability in the package-decompression feature of HL7 (Health Level 7) FHIR Core Libraries. This vulnerability allows attackers to copy arbitrary files to certain directories by exploiting improper path validation during package extraction. The flaw occurs when an allowed directory name is a substring of an attacker-controlled directory name, enabling unauthorized file writes to unintended locations. This vulnerability represents an incomplete fix for the previously disclosed CVE-2023-24057.
Critical Impact
Attackers can exploit this directory traversal vulnerability to write arbitrary files to sensitive directories, potentially leading to unauthorized data access, configuration manipulation, or further system compromise in healthcare environments using HL7 FHIR implementations.
Affected Products
- HAPI FHIR HL7 FHIR Core Libraries versions before 5.6.106
- Healthcare applications implementing HL7 FHIR package decompression functionality
- Systems using vulnerable versions of the hapifhir:hl7_fhir_core component
Discovery Timeline
- 2023-12-12 - CVE-2023-28465 published to NVD
- 2025-05-27 - Last updated in NVD database
Technical Details for CVE-2023-28465
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as directory traversal or path traversal. The flaw resides in the package-decompression functionality of the HL7 FHIR Core Libraries, which processes and extracts healthcare data packages.
The vulnerability stems from an incomplete security fix for CVE-2023-24057. While the original patch attempted to restrict file extraction to allowed directories, the implementation failed to properly validate directory boundaries. Specifically, the validation logic only checks if an allowed directory name appears as a substring within the target path, rather than enforcing strict directory containment.
This allows an attacker to craft malicious package files that, when decompressed, write files to directories outside the intended extraction location. Given that HL7 FHIR libraries are extensively used in healthcare information systems for exchanging patient data and clinical information, exploitation could have significant implications for healthcare data integrity and system security.
Root Cause
The root cause of CVE-2023-28465 is insufficient path validation in the package decompression routine. The original mitigation for CVE-2023-24057 implemented a directory allowlist check, but the substring-based comparison used in this check is fundamentally flawed. When validating whether a target directory is permitted, the code checks if the allowed directory name appears anywhere within the attacker-supplied path, rather than ensuring the path is strictly contained within the allowed directory hierarchy.
For example, if /allowed/path is whitelisted, an attacker could specify a target like /allowed/path_malicious or construct paths that include the allowed string as a component but resolve to entirely different locations.
Attack Vector
The attack vector for this vulnerability is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by crafting a malicious HL7 FHIR package containing specially constructed file paths. When this malicious package is processed by a vulnerable system:
- The attacker creates a package with embedded file paths designed to bypass the substring-based directory validation
- The victim's system receives and processes the malicious package through normal FHIR data exchange operations
- During decompression, the flawed validation logic permits file extraction to unauthorized directories
- Arbitrary files are written to attacker-controlled locations, potentially overwriting critical configurations or placing malicious payloads
The vulnerability mechanism exploits the substring matching flaw in path validation. When the decompression function validates target directories, it checks if an allowed directory string (e.g., /safe/directory) exists within the provided path. An attacker can craft paths like /safe/directory/../../../target/location or use directory names that contain the allowed string as a substring to bypass this check.
For detailed technical information about this vulnerability and the incomplete fix, refer to the GitHub Security Advisory and the Smile CDR Statement on CVE-2023-24057.
Detection Methods for CVE-2023-28465
Indicators of Compromise
- Unexpected files appearing in system directories outside designated FHIR package extraction paths
- Log entries showing file write operations to directories containing path traversal sequences (../)
- Presence of files with healthcare-related naming conventions in unauthorized system locations
- Anomalous directory access patterns during FHIR package processing operations
Detection Strategies
- Implement file integrity monitoring on critical system directories to detect unauthorized file modifications
- Monitor application logs for path traversal patterns and suspicious package extraction activities
- Deploy endpoint detection rules that alert on file write operations from FHIR-related processes to system-critical directories
- Conduct regular dependency scanning to identify vulnerable versions of hapifhir:hl7_fhir_core in deployed applications
Monitoring Recommendations
- Enable verbose logging for FHIR package processing operations to capture file extraction paths
- Implement alerts for any file system operations that resolve to paths outside expected extraction directories
- Monitor network traffic for incoming FHIR packages from untrusted sources
- Establish baseline behavior for FHIR library file operations to detect anomalous activity
How to Mitigate CVE-2023-28465
Immediate Actions Required
- Upgrade HL7 FHIR Core Libraries to version 5.6.106 or later immediately
- Audit systems for any evidence of exploitation or unauthorized file modifications
- Review and restrict file system permissions for directories accessible by FHIR processing components
- Implement network segmentation to limit exposure of systems processing FHIR packages
Patch Information
The vulnerability has been addressed in HL7 FHIR Core Libraries version 5.6.106 and later. Organizations should update their deployments by modifying their dependency configurations to require the patched version. For Maven-based projects, update the hapifhir:hl7_fhir_core dependency to specify version 5.6.106 or higher. Additional information about the security fix can be found in the GitHub Security Advisory.
Workarounds
- Implement additional file system access controls to restrict write permissions for FHIR processing components to explicitly allowed directories only
- Deploy a Web Application Firewall (WAF) or input validation layer to inspect and sanitize incoming FHIR packages before processing
- Run FHIR package processing in a sandboxed environment with limited file system access
- Disable or restrict the package decompression feature if not required for operations
# Example: Restrict file system permissions for FHIR extraction directory
chmod 700 /var/lib/fhir/packages
chown fhir-service:fhir-service /var/lib/fhir/packages
# Create a dedicated extraction directory with strict permissions
mkdir -p /var/lib/fhir/packages/extract
chmod 750 /var/lib/fhir/packages/extract
# Monitor the extraction directory for unexpected file writes
# Using inotifywait for real-time monitoring
inotifywait -m -r -e create,modify /var/lib/fhir/packages/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
