Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-h9mw-grgx-2fhf: sbt vulnerable to arbitrary file write via archive extraction (Zip Slip)

Impact

Given specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

This would have a potential to overwrite /root/.ssh/authorized_keys. Within sbt’s main code, IO.unzip is used in pullRemoteCache task and Resolvers.remote; however many projects use IO.unzip(...) directly to implement custom tasks - https://github.com/search?q=IO.unzip+language%3AScala&type=code&l=Scala&p=1

Patches

The problem has been patched in https://github.com/sbt/io/pull/360 sbt 1.9.7 is available with the fix.

Workarounds

A workaround might be use some other library to unzip.

References

  • https://github.com/snyk/zip-slip-vulnerability
  • https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680
  • https://github.com/sbt/io/issues/358
ghsa
#vulnerability#git#java#auth#ssh#maven

Package

maven org.scala-sbt:io_2.12 (Maven)

Affected versions

>= 1.0.0, < 1.9.7

Patched versions

1.9.7

maven org.scala-sbt:io_2.13 (Maven)

>= 1.0.0, < 1.9.7

1.9.7

maven org.scala-sbt:io_3 (Maven)

>= 1.0.0, < 1.9.7

1.9.7

maven org.scala-sbt:sbt (Maven)

>= 0.3.4, < 1.9.7

1.9.7

Description

Impact

Given specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

This would have a potential to overwrite /root/.ssh/authorized_keys. Within sbt’s main code, IO.unzip is used in pullRemoteCache task and Resolvers.remote; however many projects use IO.unzip(…) directly to implement custom tasks - https://github.com/search?q=IO.unzip+language%3AScala&type=code&l=Scala&p=1

Patches

The problem has been patched in sbt/io#360
sbt 1.9.7 is available with the fix.

Workarounds

A workaround might be use some other library to unzip.

References

  • https://github.com/snyk/zip-slip-vulnerability
  • https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680
  • sbt/io#358

References

  • GHSA-h9mw-grgx-2fhf
  • https://nvd.nist.gov/vuln/detail/CVE-2023-46122
  • sbt/io#358
  • sbt/io#360
  • sbt/io@1245383

eed3si9n published to sbt/sbt

Oct 22, 2023

Published to the GitHub Advisory Database

Oct 24, 2023

Reviewed

Oct 24, 2023

Last updated

Oct 24, 2023

Related news

Red Hat Security Advisory 2024-6536-03

Red Hat Security Advisory 2024-6536-03 - Red Hat AMQ Streams 2.5.2 is now available from the Red Hat Customer Portal. Issues addressed include bypass, denial of service, information leakage, and memory leak vulnerabilities.

CVE-2023-46122: zip slip vulnerability · Issue #358 · sbt/io

sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. This would have potential to overwrite `/root/.ssh/authorized_keys`. Within sbt's main code, `IO.unzip` is used in `pullRemoteCache` task and `Resolvers.remote`; however many projects use `IO.unzip(...)` directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.