GHSA-h9mw-grgx-2fhf: sbt vulnerable to arbitrary file write via archive extraction (Zip Slip)

Package

maven org.scala-sbt:io_2.12 (Maven)

Affected versions

>= 1.0.0, < 1.9.7

Patched versions

1.9.7

maven org.scala-sbt:io_2.13 (Maven)

>= 1.0.0, < 1.9.7

1.9.7

maven org.scala-sbt:io_3 (Maven)

>= 1.0.0, < 1.9.7

1.9.7

maven org.scala-sbt:sbt (Maven)

>= 0.3.4, < 1.9.7

1.9.7

Description

Impact

Given specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

This would have a potential to overwrite /root/.ssh/authorized_keys. Within sbt’s main code, IO.unzip is used in pullRemoteCache task and Resolvers.remote; however many projects use IO.unzip(…) directly to implement custom tasks - https://github.com/search?q=IO.unzip+language%3AScala&type=code&l=Scala&p=1

Patches

The problem has been patched in sbt/io#360
sbt 1.9.7 is available with the fix.

Workarounds

A workaround might be use some other library to unzip.

References

• https://github.com/snyk/zip-slip-vulnerability
• https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680
• sbt/io#358

References

• GHSA-h9mw-grgx-2fhf
• https://nvd.nist.gov/vuln/detail/CVE-2023-46122
• sbt/io#358
• sbt/io#360
• sbt/io@1245383

eed3si9n published to sbt/sbt

Oct 22, 2023

Published to the GitHub Advisory Database

Oct 24, 2023

Reviewed

Oct 24, 2023

Last updated

Oct 24, 2023