Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.
References
Configurations
History
07 Nov 2023, 03:49
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
27 Jul 2023, 15:19
Type | Values Removed | Values Added |
---|---|---|
First Time |
Scala-lang scala-collection-compat
|
|
CPE | cpe:2.3:a:scala-lang:scala-collection-compat:*:*:*:*:*:*:*:* |
03 Feb 2023, 19:05
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/scala/scala-collection-compat/releases/tag/v2.9.0 - Release Notes, Third Party Advisory |
06 Dec 2022, 13:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
08 Nov 2022, 02:57
Type | Values Removed | Values Added |
---|---|---|
First Time |
Fedoraproject
Fedoraproject fedora |
|
CPE | cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* |
|
References | (MISC) https://discuss.lightbend.com/t/impact-of-cve-2022-36944-on-akka-cluster-akka-actor-akka-remote/10007/2 - Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3WMKPFAMFQE3HJVRQ5KOJUTWG264SXI/ - Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6ZOZVWY3X72FZZCCRAKRJYTQOJ6LUD6Z/ - Mailing List, Third Party Advisory |
12 Oct 2022, 14:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain. |
06 Oct 2022, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
26 Sep 2022, 22:50
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-502 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
References | (MISC) https://github.com/scala/scala/pull/10118 - Exploit, Patch, Third Party Advisory | |
References | (MISC) https://www.scala-lang.org/download/ - Vendor Advisory | |
CPE | cpe:2.3:a:scala-lang:scala:*:*:*:*:*:*:*:* | |
First Time |
Scala-lang
Scala-lang scala |
23 Sep 2022, 18:18
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-09-23 18:15
Updated : 2023-12-10 14:35
NVD link : CVE-2022-36944
Mitre link : CVE-2022-36944
CVE.ORG link : CVE-2022-36944
JSON object : View
Products Affected
fedoraproject
- fedora
scala-lang
- scala
- scala-collection-compat
CWE
CWE-502
Deserialization of Untrusted Data