Lucene search

GitHub Advisory DatabaseGHSA-H9MW-GRGX-2FHF

HistoryOct 24, 2023 - 1:51 a.m.

sbt vulnerable to arbitrary file write via archive extraction (Zip Slip)

2023-10-2401:51:04

CWE-22

GitHub Advisory Database

github.com

sbt

vulnerability

archive extraction

zip slip

arbitrary file write

io.unzip

patch

workaround

security vulnerability

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

0.0004 Low

EPSS

Percentile

13.2%

JSON

Impact

Given specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

This would have a potential to overwrite /root/.ssh/authorized_keys. Within sbt’s main code, IO.unzip is used in pullRemoteCache task and Resolvers.remote; however many projects use IO.unzip(...) directly to implement custom tasks - https://github.com/search?q=IO.unzip+language%3AScala&type=code&l=Scala&p=1

Patches

The problem has been patched in https://github.com/sbt/io/pull/360
sbt 1.9.7 is available with the fix.

Workarounds

A workaround might be use some other library to unzip.

References

Affected configurations

Vulners

Node

org.scalasbt\Matchio_3

org.scalasbt\Matchio_2.13

org.scalasbt\Matchio_2.12

org.scalasbt\Matchsbt

CPENameOperatorVersion
org.scala-sbt:io_3lt1.9.7
org.scala-sbt:io_2.13lt1.9.7
org.scala-sbt:io_2.12lt1.9.7
org.scala-sbt:sbtge0.3.4
org.scala-sbt:sbtlt1.9.7