Low severityNVD Advisory· Published Oct 23, 2023· Updated Sep 17, 2024
Arbitrary file write via archive extraction (Zip Slip) vulnerability in sbt
CVE-2023-46122
Description
sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. This would have potential to overwrite /root/.ssh/authorized_keys. Within sbt's main code, IO.unzip is used in pullRemoteCache task and Resolvers.remote; however many projects use IO.unzip(...) directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.scala-sbt:sbtMaven | >= 0.3.4, < 1.9.7 | 1.9.7 |
org.scala-sbt:io_2.12Maven | >= 1.0.0, < 1.9.7 | 1.9.7 |
org.scala-sbt:io_2.13Maven | >= 1.0.0, < 1.9.7 | 1.9.7 |
org.scala-sbt:io_3Maven | >= 1.0.0, < 1.9.7 | 1.9.7 |
Affected products
85- ghsa-coords84 versionspkg:maven/org.scala-sbt/io_2.12pkg:maven/org.scala-sbt/io_2.13pkg:maven/org.scala-sbt/io_3pkg:maven/org.scala-sbt/sbtpkg:rpm/opensuse/maven&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/maven&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/maven-resolver&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/maven-resolver&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/sbt-bootstrap&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/sbt-bootstrap&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/sbt&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/sbt&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/xmvn-connector&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/xmvn-connector&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/xmvn&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/xmvn&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/xmvn-mojo&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/xmvn-mojo&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/xmvn-parent&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/xmvn-parent&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/xmvn-tools&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/xmvn-tools&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/maven&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/maven&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/maven&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/maven&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/maven&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/maven&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/maven&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/maven&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/maven&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/maven&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/maven-resolver&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/maven-resolver&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/maven-resolver&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/maven-resolver&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/maven-resolver&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/maven-resolver&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/maven-resolver&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/maven-resolver&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/maven-resolver&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/maven-resolver&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/sbt-bootstrap&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/sbt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/xmvn-connector&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/xmvn-connector&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/xmvn-connector&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/xmvn-connector&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/xmvn-connector&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/xmvn-connector&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/xmvn-connector&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/xmvn-connector&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/xmvn-connector&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/xmvn-connector&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/xmvn&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/xmvn&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/xmvn&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/xmvn&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/xmvn&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/xmvn&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/xmvn&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/xmvn&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/xmvn&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/xmvn&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/xmvn-mojo&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/xmvn-mojo&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/xmvn-mojo&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/xmvn-mojo&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/xmvn-mojo&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/xmvn-mojo&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/xmvn-mojo&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/xmvn-mojo&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/xmvn-mojo&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/xmvn-mojo&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/xmvn-tools&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/xmvn-tools&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/xmvn-tools&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/xmvn-tools&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/xmvn-tools&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/xmvn-tools&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/xmvn-tools&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/xmvn-tools&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/xmvn-tools&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/xmvn-tools&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3
>= 1.0.0, < 1.9.7+ 83 more
- (no CPE)range: >= 1.0.0, < 1.9.7
- (no CPE)range: >= 1.0.0, < 1.9.7
- (no CPE)range: >= 1.0.0, < 1.9.7
- (no CPE)range: >= 0.3.4, < 1.9.7
- (no CPE)range: < 3.9.4-150200.4.18.1
- (no CPE)range: < 3.9.4-150200.4.18.1
- (no CPE)range: < 1.9.15-150200.3.14.2
- (no CPE)range: < 1.9.15-150200.3.14.2
- (no CPE)range: < 0.13.18-150200.4.16.1
- (no CPE)range: < 0.13.18-150200.4.16.1
- (no CPE)range: < 0.13.18-150200.4.16.1
- (no CPE)range: < 0.13.18-150200.4.16.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 3.9.4-150200.4.18.1
- (no CPE)range: < 3.9.4-150200.4.18.1
- (no CPE)range: < 3.9.4-150200.4.18.1
- (no CPE)range: < 3.9.4-150200.4.18.1
- (no CPE)range: < 3.9.4-150200.4.18.1
- (no CPE)range: < 3.9.4-150200.4.18.1
- (no CPE)range: < 3.9.4-150200.4.18.1
- (no CPE)range: < 3.9.4-150200.4.18.1
- (no CPE)range: < 3.9.4-150200.4.18.1
- (no CPE)range: < 3.9.4-150200.4.18.1
- (no CPE)range: < 1.9.15-150200.3.14.2
- (no CPE)range: < 1.9.15-150200.3.14.2
- (no CPE)range: < 1.9.15-150200.3.14.2
- (no CPE)range: < 1.9.15-150200.3.14.2
- (no CPE)range: < 1.9.15-150200.3.14.2
- (no CPE)range: < 1.9.15-150200.3.14.2
- (no CPE)range: < 1.9.15-150200.3.14.2
- (no CPE)range: < 1.9.15-150200.3.14.2
- (no CPE)range: < 1.9.15-150200.3.14.2
- (no CPE)range: < 1.9.15-150200.3.14.2
- (no CPE)range: < 0.13.18-150200.4.16.1
- (no CPE)range: < 0.13.18-150200.4.16.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
- (no CPE)range: < 4.2.0-150200.3.14.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-h9mw-grgx-2fhfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-46122ghsaADVISORY
- github.com/sbt/io/commit/124538348db0713c80793cb57b915f97ec13188aghsax_refsource_MISCWEB
- github.com/sbt/io/issues/358ghsax_refsource_MISCWEB
- github.com/sbt/io/pull/360ghsax_refsource_MISCWEB
- github.com/sbt/sbt/security/advisories/GHSA-h9mw-grgx-2fhfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.