CVE-2022-36944
CRITICAL severity · CVSS 9.8 · Insecure deserialization
9.8CVSS CRITICAL
Summary
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)8%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Official patch: https://github.com/scala/scala/pull/10118 ↗
Additional information
- NVD record
- https://github.com/scala/scala/pull/10118Patch
- https://www.scala-lang.org/download/Advisory
- https://discuss.lightbend.com/t/impact-of-cve-2022-36944-on-akka-cluster-akka-actor-akka-remote/10007/2Advisory
- https://github.com/scala/scala-collection-compat/releases/tag/v2.9.0Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ZOZVWY3X72FZZCCRAKRJYTQOJ6LUD6Z/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3WMKPFAMFQE3HJVRQ5KOJUTWG264SXI/