Headline
GHSA-h9mw-grgx-2fhf: sbt vulnerable to arbitrary file write via archive extraction (Zip Slip)
Impact
Given specially crafted zip or JAR file, IO.unzip
allows writing of arbitrary file. The follow is an example of a malicious entry:
+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys
This would have a potential to overwrite /root/.ssh/authorized_keys
. Within sbt’s main code, IO.unzip
is used in pullRemoteCache
task and Resolvers.remote
; however many projects use IO.unzip(...)
directly to implement custom tasks - https://github.com/search?q=IO.unzip+language%3AScala&type=code&l=Scala&p=1
Patches
The problem has been patched in https://github.com/sbt/io/pull/360 sbt 1.9.7 is available with the fix.
Workarounds
A workaround might be use some other library to unzip.
References
- https://github.com/snyk/zip-slip-vulnerability
- https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680
- https://github.com/sbt/io/issues/358
Package
maven org.scala-sbt:io_2.12 (Maven)
Affected versions
>= 1.0.0, < 1.9.7
Patched versions
1.9.7
maven org.scala-sbt:io_2.13 (Maven)
>= 1.0.0, < 1.9.7
1.9.7
maven org.scala-sbt:io_3 (Maven)
>= 1.0.0, < 1.9.7
1.9.7
maven org.scala-sbt:sbt (Maven)
>= 0.3.4, < 1.9.7
1.9.7
Description
Impact
Given specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:
+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys
This would have a potential to overwrite /root/.ssh/authorized_keys. Within sbt’s main code, IO.unzip is used in pullRemoteCache task and Resolvers.remote; however many projects use IO.unzip(…) directly to implement custom tasks - https://github.com/search?q=IO.unzip+language%3AScala&type=code&l=Scala&p=1
Patches
The problem has been patched in sbt/io#360
sbt 1.9.7 is available with the fix.
Workarounds
A workaround might be use some other library to unzip.
References
- https://github.com/snyk/zip-slip-vulnerability
- https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680
- sbt/io#358
References
- GHSA-h9mw-grgx-2fhf
- https://nvd.nist.gov/vuln/detail/CVE-2023-46122
- sbt/io#358
- sbt/io#360
- sbt/io@1245383
eed3si9n published to sbt/sbt
Oct 22, 2023
Published to the GitHub Advisory Database
Oct 24, 2023
Reviewed
Oct 24, 2023
Last updated
Oct 24, 2023
Related news
Red Hat Security Advisory 2024-6536-03 - Red Hat AMQ Streams 2.5.2 is now available from the Red Hat Customer Portal. Issues addressed include bypass, denial of service, information leakage, and memory leak vulnerabilities.
sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. This would have potential to overwrite `/root/.ssh/authorized_keys`. Within sbt's main code, `IO.unzip` is used in `pullRemoteCache` task and `Resolvers.remote`; however many projects use `IO.unzip(...)` directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.