CVE-2023-46122

Name of the Vulnerable Software and Affected Versions sbt versions prior to 1.9.7

Description The issue allows writing of arbitrary files given a specially crafted zip or JAR file, utilizing IO.unzip. This could potentially overwrite /root/.ssh/authorized keys. Within sbt's main code, IO.unzip is used in the pullRemoteCache task and Resolvers.remote. Many projects also use IO.unzip(...) directly for custom tasks.

Recommendations For versions prior to 1.9.7, update to version 1.9.7 to resolve the issue. As a temporary workaround, consider using an alternative library to unzip files until the update can be applied. Restrict access to the IO.unzip function to minimize the risk of exploitation. Avoid using IO.unzip directly in custom tasks until the issue is resolved.