CVE-2022-36944
Published on: Not Yet Published
Last Modified on: 12/06/2022 01:15:00 PM UTC
Certain versions of Fedora from Fedoraproject contain the following vulnerability:
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.
- CVE-2022-36944 has been assigned by
[email protected] to track the vulnerability - currently rated as CRITICAL severity.
CVSS3 Score: 9.8 - CRITICAL
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | NONE | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | HIGH | HIGH | HIGH |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
Impact of CVE-2022-36944 on akka-cluster, akka-actor, akka-remote - #2 by johanandren - Akka Cluster - Discussion Forum for Akka Platform technologies | discuss.lightbend.com text/html |
![]() |
[SECURITY] Fedora 35 Update: scala-2.13.9-1.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
![]() |
Install | The Scala Programming Language | www.scala-lang.org text/html |
![]() |
[SECURITY] Fedora 36 Update: scala-2.13.9-1.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
![]() |
Release 2.9.0 · scala/scala-collection-compat · GitHub | github.com text/html |
![]() |
For security, prevent `Function0` execution during `LazyList` deserialization by lrytz · Pull Request #10118 · scala/scala · GitHub | github.com text/html |
![]() |
Related QID Numbers
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Operating System | Fedoraproject | Fedora | 35 | All | All | All |
Operating System | Fedoraproject | Fedora | 36 | All | All | All |
Application | Scala-lang | Scala | All | All | All | All |
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*:
- cpe:2.3:a:scala-lang:scala:*:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
CVE-2022-36944 : Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot… twitter.com/i/web/status/1… | 2022-09-23 18:10:33 |
![]() |
CVE-2022-36944 | 2022-09-23 18:38:52 |