CVE-2022-36944 – org.scala-lang:scala-library

Package

Manager: maven
Name: org.scala-lang:scala-library
Vulnerable Version: >=2.13.0 <2.13.9

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.72592 pctl0.98723

Details

Scala subject to file deletion, code execution due to Java deserialization chain with LazyList object deserialization Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with LazyList object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.

Metadata

Created: 2022-09-25T00:00:20Z
Modified: 2022-09-28T14:10:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-8qv5-68g4-248j/GHSA-8qv5-68g4-248j.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-8qv5-68g4-248j
Finding: F096
Auto approve: 1