CVE-2023-46122

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-46122

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-46122.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-46122

Aliases

GHSA-h9mw-grgx-2fhf

Related

SUSE-SU-2023:4527-1

Published

2023-10-23T16:15:09Z

Modified

2024-06-06T14:24:51.476030Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H CVSS Calculator

Summary

[none]

Details

sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. This would have potential to overwrite /root/.ssh/authorized_keys. Within sbt's main code, IO.unzip is used in pullRemoteCache task and Resolvers.remote; however many projects use IO.unzip(...) directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.

References

Affected packages

Git / github.com/sbt/io

Affected ranges

Type: GIT
Repo: https://github.com/sbt/io
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

124538348db0713c80793cb57b915f97ec13188a

Type: GIT
Repo: https://github.com/sbt/sbt
Events: Introduced

816958d8c84a0f82968dbfb8f7f1daa85c3cc7ba

Fixed

25f2ea03ea101eeae63fbf68737242fafabe0f3a

Affected versions

v1.*

v1.0.0

v1.0.0-M10

v1.0.0-M11

v1.0.0-M12

v1.0.0-M13

v1.0.0-M2

v1.0.0-M3

v1.0.0-M4

v1.0.0-M5

v1.0.0-M6

v1.0.0-M7

v1.0.0-M8

v1.0.0-M9

v1.0.0-RC3

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.1.0

v1.1.0-M1

v1.1.0-RC1

v1.1.0-RC2

v1.1.0-RC3

v1.1.0-RC4

v1.1.1

v1.1.10

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.1.6

v1.1.7

v1.1.8

v1.1.9

v1.2.0

v1.2.0-M1

v1.2.0-M2

v1.2.0-RC1

v1.2.0-RC2

v1.2.0-RC3

v1.2.1

v1.2.2

v1.2.3

v1.2.4

v1.2.5

v1.2.6

v1.2.7

v1.2.8

v1.3.0

v1.3.0-M1

v1.3.0-M10

v1.3.0-M11

v1.3.0-M12

v1.3.0-M13

v1.3.0-M14

v1.3.0-M15

v1.3.0-M16

v1.3.0-M17

v1.3.0-M18

v1.3.0-M2

v1.3.0-M3

v1.3.0-M4

v1.3.0-M5

v1.3.0-M5-94d5ec

v1.3.0-M6

v1.3.0-M7

v1.3.0-M8

v1.3.0-M9

v1.3.0-RC1

v1.3.0-RC2

v1.3.0-RC3

v1.3.0-RC4

v1.3.0-RC5

v1.4.0

v1.4.0-M1

v1.4.0-M2

v1.4.0-M3

v1.4.0-M4

v1.4.0-M5

v1.4.0-M6

v1.4.0-M7

v1.4.0-M8

v1.4.0-RC1

v1.4.0-RC2

v1.4.1

v1.4.2

v1.4.3

v1.5.0

v1.5.0-M1

v1.5.0-M2

v1.5.0-RC1

v1.5.0-RC2

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.6.0

v1.6.0-M1

v1.6.0-M2

v1.6.0-RC1

v1.6.0-RC2

v1.6.2

v1.7.0

v1.7.0-M1

v1.7.0-M2

v1.7.0-M3

v1.7.0-RC1

v1.7.0-RC2

v1.7.1

v1.8.0

v1.8.0-RC1

v1.8.1

v1.9.0

v1.9.0-M1

v1.9.0-RC1

v1.9.0-RC2

v1.9.0-RC2-1

v1.9.0-RC3

v1.9.1

v1.9.2

v1.9.3

v1.9.4

v1.9.5

v1.9.6