CVE-2022-36944 — Deserialization of Untrusted Data in Scala

CWE-502 — Deserialization of Untrusted Data18 documents7 sources

Severity

9.8CRITICALNVD

EPSS

65.2%

top 1.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Scala-lang Scala Scala-lang Scala-collection-compat Fedoraproject Fedora +1 more

Timeline

PublishedSep 23

Latest updateJul 17

Description

Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDscala-lang/scala2.13.0 — 2.13.9

▶NVDscala-lang/scala-collection-compat< 2.9.0

▶debiandebian/scala

Also affects: Fedora 35, 36

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Scala subject to file deletion, code execution due to Java deserialization chain with LazyList object deserialization↗2022-09-25

▶

GHSA

Scala subject to file deletion, code execution due to Java deserialization chain with LazyList object deserialization↗2022-09-25

▶

OSV

CVE-2022-36944: Scala 2↗2022-09-23

▶

📋Vendor Advisories

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Installer (Scala) — CVE-2022-36944↗2024-07-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Security (Scala) — CVE-2022-36944↗2024-01-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: CMP (Scala) — CVE-2022-36944↗2023-10-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: Other (Scala) — CVE-2022-36944↗2023-07-15

▶

Red Hat

scala: deserialization gadget chain↗2022-09-23

▶

🕵️Threat Intelligence

Qualys

Oracle Critical Patch Update, July 2024 Security Update Review↗2024-07-17

▶

Qualys

Oracle Critical Patch Security Update: July 2024 Review | Qualys↗2024-07-17

▶

Qualys

Oracle Patch Update, January 2024 Security Update Review↗2024-01-17

▶

Qualys

Oracle Patch Update, January 2024 Security Update Review | Qualys↗2024-01-17

▶

Qualys

Oracle Patch Tuesday, October 2023 Security Update Review | Qualys↗2023-10-18

▶