SUSE: CVE-2023-46122: SUSE Linux Security Advisory
Description
sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. This would have potential to overwrite `/root/.ssh/authorized_keys`. Within sbt's main code, `IO.unzip` is used in `pullRemoteCache` task and `Resolvers.remote`; however many projects use `IO.unzip(...)` directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.
Solution(s)
- suse-upgrade-maven
- suse-upgrade-maven-javadoc
- suse-upgrade-maven-lib
- suse-upgrade-maven-resolver
- suse-upgrade-maven-resolver-api
- suse-upgrade-maven-resolver-connector-basic
- suse-upgrade-maven-resolver-impl
- suse-upgrade-maven-resolver-javadoc
- suse-upgrade-maven-resolver-named-locks
- suse-upgrade-maven-resolver-spi
- suse-upgrade-maven-resolver-test-util
- suse-upgrade-maven-resolver-transport-classpath
- suse-upgrade-maven-resolver-transport-file
- suse-upgrade-maven-resolver-transport-http
- suse-upgrade-maven-resolver-transport-wagon
- suse-upgrade-maven-resolver-util
- suse-upgrade-sbt
- suse-upgrade-sbt-bootstrap
- suse-upgrade-xmvn
- suse-upgrade-xmvn-api
- suse-upgrade-xmvn-connector
- suse-upgrade-xmvn-connector-javadoc
- suse-upgrade-xmvn-core
- suse-upgrade-xmvn-install
- suse-upgrade-xmvn-minimal
- suse-upgrade-xmvn-mojo
- suse-upgrade-xmvn-mojo-javadoc
- suse-upgrade-xmvn-parent
- suse-upgrade-xmvn-resolve
- suse-upgrade-xmvn-subst
- suse-upgrade-xmvn-tools-javadoc
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center