Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oOW13LWdyZ3gtMmZoZs4AA2oM
sbt vulnerable to arbitrary file write via archive extraction (Zip Slip)
Impact
Given specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:
+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys
This would have a potential to overwrite /root/.ssh/authorized_keys. Within sbt's main code, IO.unzip is used in pullRemoteCache task and Resolvers.remote; however many projects use IO.unzip(...) directly to implement custom tasks - https://github.com/search?q=IO.unzip+language%3AScala&type=code&l=Scala&p=1
Patches
The problem has been patched in https://github.com/sbt/io/pull/360
sbt 1.9.7 is available with the fix.
Workarounds
A workaround might be use some other library to unzip.
References
- https://github.com/snyk/zip-slip-vulnerability
- https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680
- https://github.com/sbt/io/issues/358
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oOW13LWdyZ3gtMmZoZs4AA2oM
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 6 months ago
Updated: 6 months ago
CVSS Score: 3.9
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
Identifiers: GHSA-h9mw-grgx-2fhf, CVE-2023-46122
References:
- https://github.com/sbt/sbt/security/advisories/GHSA-h9mw-grgx-2fhf
- https://nvd.nist.gov/vuln/detail/CVE-2023-46122
- https://github.com/sbt/io/issues/358
- https://github.com/sbt/io/pull/360
- https://github.com/sbt/io/commit/124538348db0713c80793cb57b915f97ec13188a
- https://github.com/advisories/GHSA-h9mw-grgx-2fhf
Blast Radius: 13.0
Affected Packages
maven:org.scala-sbt:io_3
Dependent packages: 15Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 1.0.0, < 1.9.7
Fixed in: 1.9.7
All affected versions: 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.9.1
All unaffected versions: 1.9.7, 1.9.8, 1.9.9
maven:org.scala-sbt:io_2.13
Dependent packages: 11Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 1.0.0, < 1.9.7
Fixed in: 1.9.7
All affected versions: 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.9.1
All unaffected versions: 1.9.7, 1.9.8, 1.9.9
maven:org.scala-sbt:io_2.12
Dependent packages: 52Dependent repositories: 354
Downloads:
Affected Version Ranges: >= 1.0.0, < 1.9.7
Fixed in: 1.9.7
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.9.1
All unaffected versions: 1.9.7, 1.9.8, 1.9.9
maven:org.scala-sbt:sbt
Dependent packages: 61Dependent repositories: 2,192
Downloads:
Affected Version Ranges: >= 0.3.4, < 1.9.7
Fixed in: 1.9.7
All affected versions: 0.99.2, 0.99.4, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.3.11, 1.3.12, 1.3.13, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6
All unaffected versions: 1.9.7, 1.9.8, 1.9.9