[ENTMQST-6235] CVE-2023-46122

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: 2.5.2.GA
Affects Version/s: None
Component/s: None
Labels:
None

Epic Link:
Productization of Streams for Apache Kafka 2.5.2
Blocked:
False
Blocked Reason:
None
Ready:
False
Target Release:

2.5.2.GA
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. This would have potential to overwrite `/root/.ssh/authorized_keys`. Within sbt's main code, `IO.unzip` is used in `pullRemoteCache` task and `Resolvers.remote`; however many projects use `IO.unzip(...)` directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.

https://nvd.nist.gov/vuln/detail/CVE-2023-46122

links to

RHSA-2024:138376 Red Hat AMQ Streams 2.5.2 release and security update

mentioned in: Page No Confluence page found with the given URL.

Errata Tool added a comment - 2025/03/07 11:30 AM

Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

For information on the advisory (Moderate: Red Hat AMQ Streams 2.5.2 release and security update), and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2024:6536

Errata Tool added a comment - 2025/03/07 11:30 AM Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (Moderate: Red Hat AMQ Streams 2.5.2 release and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:6536

Errata Tool added a comment - 2024/09/10 2:19 PM

Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

For information on the advisory (Moderate: Red Hat AMQ Streams 2.5.2 release and security update), and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2024:6536

Errata Tool added a comment - 2024/09/10 2:19 PM Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (Moderate: Red Hat AMQ Streams 2.5.2 release and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:6536

Christopher Foley added a comment - 2024/08/05 7:44 AM

Fixed in Scala 2.13.14, which we are using now.

Christopher Foley added a comment - 2024/08/05 7:44 AM Fixed in Scala 2.13.14, which we are using now.

Assignee:: Unassigned

Reporter:: Christopher Foley

Tester:: Lukas Kral

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2024/08/05 7:43 AM

Updated:: 2025/03/07 11:30 AM

Resolved:: 2024/09/10 2:19 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

Collapse comment: Errata Tool added a comment - 2025/03/07 11:30 AM

Expand comment: Errata Tool added a comment - 2025/03/07 11:30 AM

Collapse comment: Errata Tool added a comment - 2024/09/10 2:19 PM

Expand comment: Errata Tool added a comment - 2024/09/10 2:19 PM

Collapse comment: Christopher Foley added a comment - 2024/08/05 7:44 AM

Expand comment: Christopher Foley added a comment - 2024/08/05 7:44 AM

People

Dates