cbcvebase.
CVE-2022-36944
published 2022-09-23

CVE-2022-36944: Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
8.19%
94.2th percentile
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.

Affected

5 ranges
VendorProductVersion rangeFixed in
debianscala
fedoraprojectfedora
fedoraprojectfedora
scala-langscala>= 2.13.0 < 2.13.92.13.9
scala-langscala-collection-compat< 2.9.02.9.0

Detection & IOCsextracted from sources · hover to see the quote

  • The deserialization gadget chain in Scala 2.13.x is triggered via LazyList containing a malicious Function0 call; monitor for deserialization of untrusted data invoking Function0 functions in Scala applications
  • The exploit vector is Java object deserialization within an application that uses Scala's LazyList; flag any application endpoint that deserializes untrusted Java objects when Scala 2.13.x (before 2.13.9) is on the classpath
  • The gadget chain resides in Scala's JAR file itself; presence of scala-library 2.13.x < 2.13.9 on the classpath of any service accepting serialized Java objects should be treated as a high-risk condition
  • ·The vulnerability cannot be exploited standalone; exploitation requires that the target application performs Java object deserialization of attacker-controlled data — assess only applications with such an attack surface
  • ·Mitigation (short of patching to 2.13.9+) is to never permit deserialization of untrusted data in any application using Scala's LazyList

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_oracle9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.