Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2022-36944

Published: 23/09/2022 Updated: 07/11/2023
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 0

Vulnerability Summary

Scala 2.13.x prior to 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows malicious users to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

scala-lang scala

scala-lang scala-collection-compat

fedoraproject fedora 35

fedoraproject fedora 36

Vendor Advisories

Red Hat: Important: Red Hat AMQ Streams 2.4.0 release and security update
概述 Important: Red Hat AMQ Streams 240 release and security update 类型/严重性 Security Advisory: Important 标题 Red Hat AMQ Streams 240 is now available from the Red Hat Customer PortalRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base scor ...

Github Repositories

https://github.com/yarocher/lazylist-cve-poc

POC for the CVE-2022-36944 vulnerability exploit

CVE-2022-36944 payload generator This mini-project is created to demonstrate proof of concept of CVE-2022-36944 vulnerability It is similar to ysoserial, but generates payload only for this CVE with LazyList class Quick FAQ What artifacts bring the vulnerability? orgscala-lang:scala-library with versions 213x before 2139 What applications are vulnerable? Two conditions m

https://github.com/T0niKroOs/scala_vulnerability_poc

Proof of Concept Version Default: scala 21314 + Oracle OpenJDK 180_321 Available: scala 2130-21314 + java8-java18 Usage Erase File Contnts Configure Scala dependencies Set the 'filePath' field in PayloadGeneratorjava to the desired file path for erasure run PayloadGenerator to generate malicious byte stream and store it in /payloadser Write some content in

https://github.com/software-engineering-and-security/Gadgecy

A tool and dataset for detecting dependencies used in known Java gadget chains.

Gadgecy A tool and dataset for detecting dependencies used in known Java gadget chains This repository contains both the source code for the Gadgecy tool and the experiments which generated the dataset consumend by Gadgecy If you are only interested in the tool check out the releases Using Gadgecy usage: gadgecypy [-h] [--setup] [--pom POM] [--mvn MVN] [--jar JAR] [--projec

References

CWE-502https://www.scala-lang.org/download/https://github.com/scala/scala/pull/10118https://discuss.lightbend.com/t/impact-of-cve-2022-36944-on-akka-cluster-akka-actor-akka-remote/10007/2https://github.com/scala/scala-collection-compat/releases/tag/v2.9.0https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3WMKPFAMFQE3HJVRQ5KOJUTWG264SXI/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ZOZVWY3X72FZZCCRAKRJYTQOJ6LUD6Z/https://access.redhat.com/errata/RHSA-2023:3223https://nvd.nist.govhttps://github.com/yarocher/lazylist-cve-poc
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
log injectionCVE-2024-37079type confusionCVE-2024-32943CVE-2024-30103CVE-2024-37350arbitrary codeCVE-2024-6189CVE-2024-6225
Vulmon Logo Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook