Description
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.
Exploits (1)
References (6)
Core 6
Core References
Third Party Advisory
https://discuss.lightbend.com/t/impact-of-cve-2022-36944-on-akka-cluster-akka-actor-akka-remote/10007/2
Release Notes, Third Party Advisory
https://github.com/scala/scala-collection-compat/releases/tag/v2.9.0
Exploit, Patch, Third Party Advisory
https://github.com/scala/scala/pull/10118
Vendor Advisory
https://www.scala-lang.org/download/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3WMKPFAMFQE3HJVRQ5KOJUTWG264SXI/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ZOZVWY3X72FZZCCRAKRJYTQOJ6LUD6Z/
Scores
CVSS v3
9.8
EPSS
0.6781
EPSS Percentile
98.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-502
Status
published
Products (5)
fedoraproject/fedora
35
fedoraproject/fedora
36
org.scala-lang/scala-library
2.13.0 - 2.13.9Maven
scala-lang/scala
2.13.0 - 2.13.9
scala-lang/scala-collection-compat
< 2.9.0
Published
Sep 23, 2022
Tracked Since
Feb 18, 2026