GHSA-h9mw-grgx-2fhf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-h9mw-grgx-2fhf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-h9mw-grgx-2fhf/GHSA-h9mw-grgx-2fhf.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-h9mw-grgx-2fhf
- Aliases
- Published
- 2023-10-24T01:51:04Z
- Modified
- 2023-11-10T05:28:44.063827Z
- Severity
-
- 3.9 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L CVSS Calculator
- Summary
- sbt vulnerable to arbitrary file write via archive extraction (Zip Slip)
- Details
-
Impact
Given specially crafted zip or JAR file,
IO.unzipallows writing of arbitrary file. The follow is an example of a malicious entry:+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keysThis would have a potential to overwrite
/root/.ssh/authorized_keys. Within sbt's main code,IO.unzipis used inpullRemoteCachetask andResolvers.remote; however many projects useIO.unzip(...)directly to implement custom tasks - https://github.com/search?q=IO.unzip+language%3AScala&type=code&l=Scala&p=1Patches
The problem has been patched in https://github.com/sbt/io/pull/360 sbt 1.9.7 is available with the fix.
Workarounds
A workaround might be use some other library to unzip.
References
- https://github.com/snyk/zip-slip-vulnerability
- https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680
- https://github.com/sbt/io/issues/358
- Database specific
{ "nvd_published_at": "2023-10-23T16:15:09Z", "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2023-10-24T01:51:04Z", "cwe_ids": [ "CWE-22" ] }- References
Affected packages
Maven / org.scala-sbt:sbt
Package
- Name
- org.scala-sbt:sbt
- View open source insights on deps.dev
- Purl
- pkg:maven/org.scala-sbt/sbt
Affected versions
0.*
0.99.2
0.99.4
1.*
1.0.0-M1
1.0.0-M2
1.0.0-M3
1.0.0-M4
1.0.0-M5
1.0.0-M6
1.0.0-RC1
1.0.0-RC2
1.0.0-RC3
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.1.0-M1
1.1.0-RC1
1.1.0-RC2
1.1.0-RC3
1.1.0-RC4
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.2.0-M1
1.2.0-RC1
1.2.0-RC2
1.2.0-RC3
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.3.0-M1
1.3.0-M2
1.3.0-M3
1.3.0-M4
1.3.0-M5
1.3.0-M5-94d5ec
1.3.0-RC1
1.3.0-RC2
1.3.0-RC3
1.3.0-RC4
1.3.0-RC5
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.3.10
1.3.11
1.3.12
1.3.13
1.4.0-M1
1.4.0-M2
1.4.0-RC1
1.4.0-RC2
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9
1.5.0-M1
1.5.0-M2
1.5.0-RC1
1.5.0-RC2
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.6.0-M1
1.6.0-RC1
1.6.0-RC2
1.6.0
1.6.1
1.6.2
1.7.0-M1
1.7.0-M2
1.7.0-M2-6810fix
1.7.0-M3
1.7.0-RC1
1.7.0-RC2
1.7.0
1.7.1
1.7.2
1.7.3
1.8.0-RC1
1.8.0
1.8.1
1.8.2
1.8.3
1.9.0-M1
1.9.0-RC1
1.9.0-RC2
1.9.0-RC3
1.9.0
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6
Maven / org.scala-sbt:io_2.12
Package
- Name
- org.scala-sbt:io_2.12
- View open source insights on deps.dev
- Purl
- pkg:maven/org.scala-sbt/io_2.12
Affected versions
1.*
1.0.0
1.0.1
1.0.2
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.1.10
1.2.0-M1
1.2.0-M2
1.2.0
1.2.1
1.2.2
1.3.0-M1
1.3.0-M2
1.3.0-M3
1.3.0-M4
1.3.0-M5
1.3.0-M6
1.3.0-M7
1.3.0-M8
1.3.0-M9
1.3.0-M10
1.3.0-M11
1.3.0-M12
1.3.0-M13
1.3.0-M14
1.3.0-M15
1.3.0-M16
1.3.0-M17
1.3.0-M18
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.0-M1
1.4.0-M2
1.4.0-M3
1.4.0-M4
1.4.0-M5
1.4.0-M6
1.4.0-M7
1.4.0-M8
1.4.0
1.5.0-M1
1.5.0
1.5.1
1.6.0-M1
1.6.0-M2
1.6.0
1.7.0
1.8.0
1.8.1
1.9.0-M1
1.9.0-RC3
1.9.0
1.9.1
Maven / org.scala-sbt:io_2.13
Package
- Name
- org.scala-sbt:io_2.13
- View open source insights on deps.dev
- Purl
- pkg:maven/org.scala-sbt/io_2.13
Affected versions
1.*
1.3.0-M11
1.3.0-M12
1.3.0-M13
1.3.0-M14
1.3.0-M15
1.3.0-M16
1.3.0-M17
1.3.0-M18
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.0-M1
1.4.0-M2
1.4.0-M3
1.4.0-M4
1.4.0-M5
1.4.0-M6
1.4.0-M7
1.4.0-M8
1.4.0
1.5.0-M1
1.5.0
1.5.1
1.6.0-M1
1.6.0-M2
1.6.0
1.7.0
1.8.0
1.8.1
1.9.0-M1
1.9.0-RC3
1.9.0
1.9.1
Maven / org.scala-sbt:io_3
Package
- Name
- org.scala-sbt:io_3
- View open source insights on deps.dev
- Purl
- pkg:maven/org.scala-sbt/io_3