Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2022-36944

Published: 23/09/2022 Updated: 07/11/2023
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 0
Subscribe to Scala

Vulnerability Summary

Scala 2.13.x prior to 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows malicious users to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

scala-lang scala

scala-lang scala-collection-compat

fedoraproject fedora 35

fedoraproject fedora 36

Vendor Advisories

Red Hat: Important: Red Hat AMQ Streams 2.4.0 release and security update
概述 Important: Red Hat AMQ Streams 240 release and security update 类型/严重性 Security Advisory: Important 标题 Red Hat AMQ Streams 240 is now available from the Red Hat Customer PortalRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base scor ...

Github Repositories

https://github.com/yarocher/lazylist-cve-poc

POC for the CVE-2022-36944 vulnerability exploit

CVE-2022-36944 payload generator This mini-project is created to demonstrate proof of concept of CVE-2022-36944 vulnerability It is similar to ysoserial, but generates payload only for this CVE with LazyList class Quick FAQ What artifacts bring the vulnerability? orgscala-lang:scala-library with versions 213x before 2139 What applications are vulnerable? Two conditions m

References

CWE-502https://www.scala-lang.org/download/https://github.com/scala/scala/pull/10118https://discuss.lightbend.com/t/impact-of-cve-2022-36944-on-akka-cluster-akka-actor-akka-remote/10007/2https://github.com/scala/scala-collection-compat/releases/tag/v2.9.0https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3WMKPFAMFQE3HJVRQ5KOJUTWG264SXI/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ZOZVWY3X72FZZCCRAKRJYTQOJ6LUD6Z/https://access.redhat.com/errata/RHSA-2023:3223https://nvd.nist.govhttps://github.com/yarocher/lazylist-cve-poc
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
deserializationCVE-2024-4040cross-site scriptingCVE-2023-25790CVE-2024-2961XML external entityCVE-2024-26926CVE-2024-32806CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook