Vulnerability Details : CVE-2022-36944
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.
Products affected by CVE-2022-36944
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:a:scala-lang:scala:*:*:*:*:*:*:*:*
- cpe:2.3:a:scala-lang:scala-collection-compat:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-36944
0.75%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-36944
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
9.8
|
CRITICAL | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
N/A
|
N/A
|
Oracle:CPUOct2023 |
CWE ids for CVE-2022-36944
-
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-36944
-
https://www.scala-lang.org/download/
Install | The Scala Programming LanguageVendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6ZOZVWY3X72FZZCCRAKRJYTQOJ6LUD6Z/
[SECURITY] Fedora 35 Update: scala-2.13.9-1.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/scala/scala/pull/10118
For security, prevent `Function0` execution during `LazyList` deserialization by lrytz · Pull Request #10118 · scala/scala · GitHubExploit;Patch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3WMKPFAMFQE3HJVRQ5KOJUTWG264SXI/
[SECURITY] Fedora 36 Update: scala-2.13.9-1.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/scala/scala-collection-compat/releases/tag/v2.9.0
Release 2.9.0 · scala/scala-collection-compat · GitHubRelease Notes;Third Party Advisory
-
https://discuss.lightbend.com/t/impact-of-cve-2022-36944-on-akka-cluster-akka-actor-akka-remote/10007/2
Impact of CVE-2022-36944 on akka-cluster, akka-actor, akka-remote - Akka / Akka Cluster - Discussion Forum for Akka Platform technologiesThird Party Advisory
Jump to