Advisories for Maven/Org.scala-Sbt/Io_3 package

2023

sbt vulnerable to arbitrary file write via archive extraction (Zip Slip)

sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. This would have potential to overwrite /root/.ssh/authorized_keys. Within sbt's main code, IO.unzip is used in pullRemoteCache task and Resolvers.remote; however many projects use IO.unzip(…) directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.