sbt Command Injection Vulnerability in VCS URI Fragments on Windows
Vulnerability
A command injection vulnerability has been identified in sbt, a build tool for Scala and Java. This issue affects versions 0.9.5 prior to 1.12.7 on Windows. The vulnerability arises because sbt passes user-controlled URI fragments, which can include branch or tag information, directly to version control system (VCS) commands via the Windows command shell. The command shell interprets certain characters as command separators, allowing for the execution of arbitrary commands. This vulnerability has been patched in sbt version 1.12.7.
Impact
Exploitation of this vulnerability allows for arbitrary command execution on Windows systems.
Reproduction
To reproduce this vulnerability, create a build file that includes a dependency with a crafted VCS URL. The URL should be designed to exploit the command injection flaw by including shell metacharacters in the URI fragment, such as '&', '|', or ';'. When sbt processes this URL, the command injection will occur by executing the injected commands via the Windows command shell.
Remediation
Users are advised to upgrade to sbt version 1.12.7, which addresses this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.