CVE-2023-46122

CVSS 3.1 Score 7.1 of 10 (high)

Details

Published Oct 23, 2023

Updated: Oct 31, 2023

CWE ID 22

Summary

CVE-2023-46122 is a vulnerability affecting sbt, a build tool for Scala, Java, and other languages. This issue enables an attacker to write arbitrary files, including potentially overwriting `/root/.ssh/authorized_keys`, by supplying a maliciously crafted zip or JAR file to the `IO.unzip` function. This vulnerability can be found in sbt's `pullRemoteCache` task and `Resolvers.remote`, as well as in many custom tasks where developers directly use `IO.unzip`. This security flaw has been addressed in version 1.9.7 of sbt.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/tCGFU2
https://www.cve.org/CVERecord?id=CVE-2023-46122
https://nvd.nist.gov/vuln/detail/CVE-2023-46122

Back to Vulnerability Database

CVE-2023-46122

CVSS 3.1 Score 7.1 of 10 (high)

Details

Summary

Advisories, Assessments, and Mitigations