Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-46122: zip slip vulnerability · Issue #358 · sbt/io

sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. This would have potential to overwrite /root/.ssh/authorized_keys. Within sbt’s main code, IO.unzip is used in pullRemoteCache task and Resolvers.remote; however many projects use IO.unzip(...) directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.

CVE
#vulnerability#ios#mac#git#java#auth#ssh

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

xuwei-k opened this issue

Oct 15, 2023

· 1 comment · Fixed by #360

Closed

zip slip vulnerability #358

xuwei-k opened this issue

Oct 15, 2023

· 1 comment · Fixed by #360

Comments

  • https://security.snyk.io/research/zip-slip-vulnerability
  • https://github.com/snyk/zip-slip-vulnerability

How to fix? 🤔

  • change filter: NameFilter = AllPassFilter default param?

    • def unzip(

      from: File,

      toDirectory: File,

      filter: NameFilter = AllPassFilter,

      preserveLastModified: Boolean = true

      ): Set[File] =

      fileInputStream(from)(in => unzipStream(in, toDirectory, filter, preserveLastModified))

      def unzipURL(

      from: URL,

      toDirectory: File,

      filter: NameFilter = AllPassFilter,

      preserveLastModified: Boolean = true

      ): Set[File] =

      urlInputStream(from)(in => unzipStream(in, toDirectory, filter, preserveLastModified))

      def unzipStream(

      from: InputStream,

      toDirectory: File,

      filter: NameFilter = AllPassFilter,

  • add explicit filter param in user code?

    • https://github.com/sbt/sbt/blob/da41144f37c32cbc0a64e3a91b505ce568869166/main/src/main/scala/sbt/Resolvers.scala#L44
    • https://github.com/sbt/sbt/blob/da41144f37c32cbc0a64e3a91b505ce568869166/main/src/main/scala/sbt/internal/RemoteCache.scala#L416
  • another solutions?

eed3si9n added a commit to eed3si9n/io that referenced this issue

Oct 22, 2023

Fixes sbt#358 Ref codehaus-plexus/plexus-archiver 87

**Problem** IO.unzip currently has zip-slip vulnerability, which can write arbitrary files on the machine using specially crafted zip archive that holds path traversal file names.

**Solution** This replicates the fix originally sent to plex-archiver by Snyk Team.

eed3si9n added a commit to eed3si9n/io that referenced this issue

Oct 22, 2023

Fixes sbt#358 Ref codehaus-plexus/plexus-archiver 87

**Problem** IO.unzip currently has zip-slip vulnerability, which can write arbitrary files on the machine using specially crafted zip archive that holds path traversal file names.

**Solution** This replicates the fix originally sent to plex-archiver by Snyk Team.

2 participants

Related news

Red Hat Security Advisory 2024-6536-03

Red Hat Security Advisory 2024-6536-03 - Red Hat AMQ Streams 2.5.2 is now available from the Red Hat Customer Portal. Issues addressed include bypass, denial of service, information leakage, and memory leak vulnerabilities.

GHSA-h9mw-grgx-2fhf: sbt vulnerable to arbitrary file write via archive extraction (Zip Slip)

### Impact Given specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. The follow is an example of a malicious entry: ``` +2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys ``` This would have a potential to overwrite `/root/.ssh/authorized_keys`. Within sbt's main code, `IO.unzip` is used in `pullRemoteCache` task and `Resolvers.remote`; however many projects use `IO.unzip(...)` directly to implement custom tasks - https://github.com/search?q=IO.unzip+language%3AScala&type=code&l=Scala&p=1 ### Patches The problem has been patched in https://github.com/sbt/io/pull/360 sbt 1.9.7 is available with the fix. ### Workarounds A workaround might be use some other library to unzip. ### References - https://github.com/snyk/zip-slip-vulnerability - https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680 - https://github.com/sbt/io/issues/358

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907