steps

sbt depends on OkHttp, both directly and transitively through coursier.

The version pulled is version 3, which is no longer maintained. The last release was 2 years ago and OkHttp was rewritten in Kotlin since then.
The vulnerability has been fixed a long time ago too bug wasn't backported on version 3 and will most likely never be.

problem

This version suffers from CVE-2021-0341.
As a result, it triggers vulnerability scans and some organizations will block it.
Also because of the lack of classloader isolation between sbt and the plugins (#5569), plugin authors can't upgrade on their side either.

expectation

sbt doesn't depend on a vulnerable dependency.

notes

I'm going to also open an issue against coursier.