GHSA-H9MW-GRGX-2FHF

Vulnerability from github – Published: 2023-10-24 01:51 – Updated: 2023-11-01 05:51
VLAI?
Summary
sbt vulnerable to arbitrary file write via archive extraction (Zip Slip)
Details

Impact

Given specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

This would have a potential to overwrite /root/.ssh/authorized_keys. Within sbt's main code, IO.unzip is used in pullRemoteCache task and Resolvers.remote; however many projects use IO.unzip(...) directly to implement custom tasks - https://github.com/search?q=IO.unzip+language%3AScala&type=code&l=Scala&p=1

Patches

The problem has been patched in https://github.com/sbt/io/pull/360 sbt 1.9.7 is available with the fix.

Workarounds

A workaround might be use some other library to unzip.

References

  • https://github.com/snyk/zip-slip-vulnerability
  • https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680
  • https://github.com/sbt/io/issues/358
Severity ?
3.9 (Low)
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.scala-sbt:sbt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.3.4"
            },
            {
              "fixed": "1.9.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.scala-sbt:io_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.9.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.scala-sbt:io_2.13"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.9.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.scala-sbt:io_3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.9.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-46122"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-24T01:51:04Z",
    "nvd_published_at": "2023-10-23T16:15:09Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nGiven specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. The follow is an example of a malicious entry:\n\n```\n+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```\n\nThis would have a potential to overwrite `/root/.ssh/authorized_keys`. Within sbt\u0027s main code, `IO.unzip` is used in `pullRemoteCache` task and `Resolvers.remote`; however many projects use `IO.unzip(...)` directly to implement custom tasks - https://github.com/search?q=IO.unzip+language%3AScala\u0026type=code\u0026l=Scala\u0026p=1\n\n### Patches\n\nThe problem has been patched in https://github.com/sbt/io/pull/360\nsbt 1.9.7 is available with the fix.\n\n### Workarounds\nA workaround might be use some other library to unzip.\n\n### References\n\n- https://github.com/snyk/zip-slip-vulnerability\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680\n- https://github.com/sbt/io/issues/358",
  "id": "GHSA-h9mw-grgx-2fhf",
  "modified": "2023-11-01T05:51:17Z",
  "published": "2023-10-24T01:51:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sbt/sbt/security/advisories/GHSA-h9mw-grgx-2fhf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46122"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sbt/io/issues/358"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sbt/io/pull/360"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sbt/io/commit/124538348db0713c80793cb57b915f97ec13188a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sbt/sbt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "sbt vulnerable to arbitrary file write via archive extraction (Zip Slip)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.