sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process("cmd", "/c", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation.
Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7.
Attack Parameters
Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
Active
User action required
Impact Assessment
Confidentiality
None
No data leak
Integrity
High
Complete data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 4
https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e
security-advisories@github.com
https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800
security-advisories@github.com
https://github.com/sbt/sbt/releases/tag/v1.12.7
security-advisories@github.com
https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw
security-advisories@github.com