CVE-2017-15288 — Incorrect Permission Assignment in Scala

CWE-732 — Incorrect Permission Assignment CWE-377 — Insecure Temporary File8 documents6 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 78.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Scala-lang Scala Debian Scala

Timeline

PublishedNov 15

Latest updateOct 19

Description

The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local users to write to arbitrary class files and consequently gain privileges.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/scala< scala 2.11.12-1 (bookworm)

▶NVDscala-lang/scala2.11.0 — 2.11.12+2

▶Debianscala-lang/scala< 2.11.12-1+3

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

High severity vulnerability that affects org.scala-lang:scala-compiler↗2018-10-19

▶

OSV

High severity vulnerability that affects org.scala-lang:scala-compiler↗2018-10-19

▶

OSV

CVE-2017-15288: The compilation daemon in Scala before 2↗2017-11-15

▶

📋Vendor Advisories

Red Hat

scala: Privilege escalation in Scala compilation daemon↗2017-11-13

▶

Debian

CVE-2017-15288: scala - The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x...↗2017

▶

💬Community

Bugzilla

CVE-2017-15288 scala: Privilege escalation in Scala compilation daemon↗2017-11-23

▶

Bugzilla

CVE-2017-15288 scala: Privilege escalation in Scala compilation daemon [fedora-all]↗2017-11-23

▶