Critical severityNVD Advisory· Published Jan 24, 2023· Updated Apr 1, 2025

CVE-2023-24057

Description

HL7 (Health Level 7) FHIR Core Libraries before 5.6.92 allow attackers to extract files into arbitrary directories via directory traversal from a crafted ZIP or TGZ archive (for a prepackaged terminology cache, NPM package, or comparison archive).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ca.uhn.hapi.fhir:org.hl7.fhir.coreMaven	< 5.6.92	5.6.92
ca.uhn.hapi.fhir:org.hl7.fhir.convertorsMaven	< 5.6.92	5.6.92
ca.uhn.hapi.fhir:org.hl7.fhir.r4bMaven	< 5.6.92	5.6.92
ca.uhn.hapi.fhir:org.hl7.fhir.r5Maven	< 5.6.92	5.6.92
ca.uhn.hapi.fhir:org.hl7.fhir.utilitiesMaven	< 5.6.92	5.6.92
ca.uhn.hapi.fhir:org.hl7.fhir.validationMaven	< 5.6.92	5.6.92

Affected products

HL7/FHIR Core Librariesdescription
ghsa-coords6 versions
pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.convertors pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.core pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.r4b pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.r5 pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.utilities pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.validation
< 5.6.92+ 5 more
- (no CPE)range: < 5.6.92
- (no CPE)range: < 5.6.92
- (no CPE)range: < 5.6.92
- (no CPE)range: < 5.6.92
- (no CPE)range: < 5.6.92
- (no CPE)range: < 5.6.92

Patches

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000