CVE-2023-46122: sbt vulnerable to arbitrary file write via archive extraction (Zip Slip)

October 23, 2023 (updated October 31, 2023)

sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. This would have potential to overwrite /root/.ssh/authorized_keys. Within sbt’s main code, IO.unzip is used in pullRemoteCache task and Resolvers.remote; however many projects use IO.unzip(...) directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.

References

github.com/advisories/GHSA-h9mw-grgx-2fhf
github.com/sbt/io/commit/124538348db0713c80793cb57b915f97ec13188a
github.com/sbt/io/issues/358
github.com/sbt/io/pull/360
github.com/sbt/sbt/security/advisories/GHSA-h9mw-grgx-2fhf
nvd.nist.gov/vuln/detail/CVE-2023-46122

Detect and mitigate CVE-2023-46122 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →