GHSA-h9mw-grgx-2fhf

Suggest an improvement
Source
https://github.com/advisories/GHSA-h9mw-grgx-2fhf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-h9mw-grgx-2fhf/GHSA-h9mw-grgx-2fhf.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-h9mw-grgx-2fhf
Aliases
Published
2023-10-24T01:51:04Z
Modified
2023-11-10T05:28:44.063827Z
Severity
  • 3.9 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L CVSS Calculator
Summary
sbt vulnerable to arbitrary file write via archive extraction (Zip Slip)
Details

Impact

Given specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

This would have a potential to overwrite /root/.ssh/authorized_keys. Within sbt's main code, IO.unzip is used in pullRemoteCache task and Resolvers.remote; however many projects use IO.unzip(...) directly to implement custom tasks - https://github.com/search?q=IO.unzip+language%3AScala&type=code&l=Scala&p=1

Patches

The problem has been patched in https://github.com/sbt/io/pull/360 sbt 1.9.7 is available with the fix.

Workarounds

A workaround might be use some other library to unzip.

References

  • https://github.com/snyk/zip-slip-vulnerability
  • https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680
  • https://github.com/sbt/io/issues/358
Database specific
{
    "nvd_published_at": "2023-10-23T16:15:09Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-24T01:51:04Z"
}
References

Affected packages

Maven / org.scala-sbt:sbt

Package

Name
org.scala-sbt:sbt
View open source insights on deps.dev
Purl
pkg:maven/org.scala-sbt/sbt

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.3.4
Fixed
1.9.7

Affected versions

0.*

0.99.2
0.99.4

1.*

1.0.0-M1
1.0.0-M2
1.0.0-M3
1.0.0-M4
1.0.0-M5
1.0.0-M6
1.0.0-RC1
1.0.0-RC2
1.0.0-RC3
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.1.0-M1
1.1.0-RC1
1.1.0-RC2
1.1.0-RC3
1.1.0-RC4
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.2.0-M1
1.2.0-RC1
1.2.0-RC2
1.2.0-RC3
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.3.0-M1
1.3.0-M2
1.3.0-M3
1.3.0-M4
1.3.0-M5
1.3.0-M5-94d5ec
1.3.0-RC1
1.3.0-RC2
1.3.0-RC3
1.3.0-RC4
1.3.0-RC5
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.3.10
1.3.11
1.3.12
1.3.13
1.4.0-M1
1.4.0-M2
1.4.0-RC1
1.4.0-RC2
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9
1.5.0-M1
1.5.0-M2
1.5.0-RC1
1.5.0-RC2
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.6.0-M1
1.6.0-RC1
1.6.0-RC2
1.6.0
1.6.1
1.6.2
1.7.0-M1
1.7.0-M2
1.7.0-M2-6810fix
1.7.0-M3
1.7.0-RC1
1.7.0-RC2
1.7.0
1.7.1
1.7.2
1.7.3
1.8.0-RC1
1.8.0
1.8.1
1.8.2
1.8.3
1.9.0-M1
1.9.0-RC1
1.9.0-RC2
1.9.0-RC3
1.9.0
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6

Maven / org.scala-sbt:io_2.12

Package

Name
org.scala-sbt:io_2.12
View open source insights on deps.dev
Purl
pkg:maven/org.scala-sbt/io_2.12

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
1.9.7

Affected versions

1.*

1.0.0
1.0.1
1.0.2
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.1.10
1.2.0-M1
1.2.0-M2
1.2.0
1.2.1
1.2.2
1.3.0-M1
1.3.0-M2
1.3.0-M3
1.3.0-M4
1.3.0-M5
1.3.0-M6
1.3.0-M7
1.3.0-M8
1.3.0-M9
1.3.0-M10
1.3.0-M11
1.3.0-M12
1.3.0-M13
1.3.0-M14
1.3.0-M15
1.3.0-M16
1.3.0-M17
1.3.0-M18
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.0-M1
1.4.0-M2
1.4.0-M3
1.4.0-M4
1.4.0-M5
1.4.0-M6
1.4.0-M7
1.4.0-M8
1.4.0
1.5.0-M1
1.5.0
1.5.1
1.6.0-M1
1.6.0-M2
1.6.0
1.7.0
1.8.0
1.8.1
1.9.0-M1
1.9.0-RC3
1.9.0
1.9.1

Maven / org.scala-sbt:io_2.13

Package

Name
org.scala-sbt:io_2.13
View open source insights on deps.dev
Purl
pkg:maven/org.scala-sbt/io_2.13

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
1.9.7

Affected versions

1.*

1.3.0-M11
1.3.0-M12
1.3.0-M13
1.3.0-M14
1.3.0-M15
1.3.0-M16
1.3.0-M17
1.3.0-M18
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.0-M1
1.4.0-M2
1.4.0-M3
1.4.0-M4
1.4.0-M5
1.4.0-M6
1.4.0-M7
1.4.0-M8
1.4.0
1.5.0-M1
1.5.0
1.5.1
1.6.0-M1
1.6.0-M2
1.6.0
1.7.0
1.8.0
1.8.1
1.9.0-M1
1.9.0-RC3
1.9.0
1.9.1

Maven / org.scala-sbt:io_3

Package

Name
org.scala-sbt:io_3
View open source insights on deps.dev
Purl
pkg:maven/org.scala-sbt/io_3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
1.9.7

Affected versions

1.*

1.6.0-M2
1.6.0
1.7.0
1.8.0
1.8.1
1.9.0-M1
1.9.0-RC3
1.9.0
1.9.1