EUVD-2023-2746

Malicious code in bioql PyPI...

CVE-2023-46122

sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. This would have potential to overwrite /root/.ssh/authorizedkeys. Within sbt's main code, IO.unzip is used in pullRemoteCache task and Resolvers.remote; however...

africa.shuwari.sbt:sbt-js_2.12_1.0 (>=0.14.1 <=0.16.1), africa.shuwari.sbt:sbt-netbeans_2.12_1.0 (>=0.1.0 <=0.1.1) +544 more potentially affected by CVE-2023-46122 via org.scala-sbt:sbt (>=0.99.2 <=1.9.6)

org.scala-sbt:sbt MAVEN version =0.99.2, =0.14.1, =0.1.0, =0.9.6, =0.12.1, =0.9.6, =0.9.6, =0.9.6, =0.9.6, =0.14.1, =0.9.6, =0.14.1, =0.1.0, =0.0.1, =0.0.5 and more Source cves: CVE-2023-46122 Source advisory: OSV:GHSA-H9MW-GRGX-2FHF...

GHSA-H9MW-GRGX-2FHF sbt vulnerable to arbitrary file write via archive extraction (Zip Slip)

Impact Given specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry: +2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorizedkeys This would have a potential to overwrite /root/.ssh/authorizedkeys. Within sbt's ma...

sbt path traversal vulnerability

sbt is a build tool for Scala, Java and more. A security vulnerability exists in versions prior to sbt 1.9.7, which stems from a vulnerability that allows attackers to write arbitrary files via specially crafted zip or JAR files...