CVE-2022-36944

NVD

https://nvd.nist.gov/vuln/detail/CVE-2022-36944

Severity

9.8

Critical

CVSS V3

Eliminate CVEs with Chainguard hardened images

Build, ship, and run secure software with minimal, hardened container images — rebuilt from source daily and guarded under our industry-leading remediation SLA.

Start for free

Description

Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-36944
https://github.com/advisories/GHSA-8qv5-68g4-248j
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ZOZVWY3X72FZZCCRAKRJYTQOJ6LUD6Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3WMKPFAMFQE3HJVRQ5KOJUTWG264SXI/
https://discuss.lightbend.com/t/impact-of-cve-2022-36944-on-akka-cluster-akka-actor-akka-remote/10007/2
https://github.com/scala/scala-collection-compat/releases/tag/v2.9.0
https://github.com/scala/scala/pull/10118
https://www.scala-lang.org/download/

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CVE-2022-36944

Severity

Description

References

Affected packages

The trusted source for open source

Product

Solutions

Customers

Resources

Company