CVE-2022-36944
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
Scala subject to file deletion, code execution due to Java deserialization chain with LazyList object deserialization
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2022-36944
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2022-36944.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 0 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 0 |
| debian | sid | fixed | 0 |
| debian | trixie | fixed | 0 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.scala-lang:scala-library | >=2.13.0,<2.13.9 | 2.13.9 |
References
- https://www.suse.com/security/cve/CVE-2022-36944.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-36944
- https://github.com/scala/scala/pull/10118
- https://discuss.lightbend.com/t/impact-of-cve-2022-36944-on-akka-cluster-akka-actor-akka-remote/10007/2
- https://github.com/scala/scala
- https://github.com/scala/scala-collection-compat/releases/tag/v2.9.0
- https://github.com/scala/scala/releases/tag/v2.13.9
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6ZOZVWY3X72FZZCCRAKRJYTQOJ6LUD6Z
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3WMKPFAMFQE3HJVRQ5KOJUTWG264SXI
- https://www.scala-lang.org/download
- https://security-tracker.debian.org/tracker/CVE-2022-36944
Verify integrity in audit chain (admin only). AS-IS.