Vulnerability CVE-2022-36944: Information

Description

Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2022-36944
Published: Sept. 23, 2022
Modified: Nov. 7, 2023
Error type identifier: CWE-502

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
scalasisyphus2.13.9-alt12.13.9-alt3ALT-PU-2023-5825-1330091Fixed
scalap102.13.9-alt0.p10.12.13.9-alt3ALT-PU-2023-6353-2330092Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://www.scala-lang.org/download/
  • Vendor Advisory
https://github.com/scala/scala/pull/10118
  • Exploit
  • Patch
  • Third Party Advisory
https://discuss.lightbend.com/t/impact-of-cve-2022-36944-on-akka-cluster-akka-actor-akka-remote/10007/2
  • Third Party Advisory
https://github.com/scala/scala-collection-compat/releases/tag/v2.9.0
  • Release Notes
  • Third Party Advisory
FEDORA-2022-34acf878fb
    FEDORA-2022-07dd9375b2

        1. Configuration 1

          cpe:2.3:a:scala-lang:scala:*:*:*:*:*:*:*:*
          Start including
          2.13.0
          End excliding
          2.13.9
          cpe:2.3:a:scala-lang:scala-collection-compat:*:*:*:*:*:*:*:*
          End excliding
          2.9.0

          Configuration 2

          cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
          cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
      VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
      Version: v24.5.0
      Back to top