CVE-2023-28465 is a high-severity directory traversal vulnerability affecting the package-decompression feature in HL7 FHIR Core Libraries versions prior to 5.6.106. HL7 FHIR (Fast Healthcare Interoperability Resources) is a widely adopted standard for exchanging healthcare information electronically. The vulnerability arises because the decompression functionality does not properly validate directory names during extraction, allowing an attacker to craft archive files with directory names that include allowed directory names as substrings. This incomplete validation enables attackers to traverse directories and copy arbitrary files to unintended locations on the target system. The issue is a regression or incomplete fix of a previous vulnerability, CVE-2023-24057, indicating that the underlying problem with directory traversal was not fully resolved. The CVSS v3.1 base score of 7.5 reflects that this vulnerability can be exploited remotely without authentication or user interaction (AV:N/AC:L/PR:N/UI:N), resulting in a high impact on confidentiality (C:H) but no impact on integrity or availability. Exploiting this vulnerability could allow attackers to place malicious files or sensitive data in arbitrary directories, potentially leading to information disclosure or facilitating further attacks such as code execution if the files are processed by other components. No known exploits are currently reported in the wild, and no official patches or vendor information are provided in the data. The vulnerability is categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a common weakness in file handling that can lead to directory traversal attacks.

For European organizations, especially those in the healthcare sector using HL7 FHIR Core Libraries for managing and exchanging patient data, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of sensitive health information, violating GDPR and other data protection regulations, resulting in legal and financial penalties. Additionally, the ability to write arbitrary files to the system could be leveraged to implant malware or backdoors, compromising system integrity and patient safety. Healthcare providers, research institutions, and health IT vendors in Europe that rely on these libraries for interoperability and data exchange are particularly at risk. The impact extends beyond confidentiality to potential reputational damage and operational disruptions if systems are compromised or require emergency remediation.

European healthcare organizations should immediately audit their use of HL7 FHIR Core Libraries and identify versions prior to 5.6.106. Where possible, upgrade to version 5.6.106 or later once available to ensure the vulnerability is patched. In the absence of an official patch, implement strict input validation and sanitization on all archive files before decompression, specifically checking for directory traversal patterns and disallowing directory names that contain allowed directory names as substrings. Employ application-layer controls to restrict file write locations and enforce least privilege on processes handling decompression to limit the impact of any successful exploitation. Monitor file system changes and logs for suspicious activity related to decompression operations. Additionally, conduct regular security assessments and penetration tests focusing on file handling components. Engage with HL7 FHIR library maintainers and community for updates and advisories. Finally, ensure incident response plans are updated to address potential exploitation scenarios involving this vulnerability.