CVE-2022-36944

CRITICAL

Scala < 2.13.9 - Insecure Deserialization

Title source: rule

Description

Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.

Exploits (1)

nomisec WORKING POC 10 stars

by yarocher · poc

https://github.com/yarocher/lazylist-cve-poc

View Code ZIP pw:eip

References (6)

[Third Party Advisory] https://discuss.lightbend.com/t/impact-of-cve-2022-36944-on-akka-cluster-akka-actor-akka-remote/10007/2

[Release Notes, Third Party Advisory] https://github.com/scala/scala-collection-compat/releases/tag/v2.9.0

[Exploit, Patch, Third Party Advisory] https://github.com/scala/scala/pull/10118

[Vendor Advisory] https://www.scala-lang.org/download/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ZOZVWY3X72FZZCCRAKRJYTQOJ6LUD6Z/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3WMKPFAMFQE3HJVRQ5KOJUTWG264SXI/

Scores

CVSS v3 9.8

EPSS 0.7025

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (5)

scala-lang/scala < 2.13.9

scala-lang/scala-collection-compat < 2.9.0

fedoraproject/fedora

fedoraproject/fedora

org.scala-lang/scala-library < 2.13.9Maven

Timeline

Published Sep 23, 2022

Tracked Since Feb 18, 2026