CVE-2022-36944
scala: deserialization gadget chain
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.
Scala versiones 2.13.x anteriores a 2.13.9 tiene una cadena de deserialización de Java en su archivo JAR. Por sí sola, no puede ser explotada. Sólo existe un riesgo en conjunto con la deserialización de objetos Java dentro de una aplicación. En tales situaciones, permite a los atacantes borrar el contenido de archivos arbitrarios, hacer conexiones de red, o posiblemente ejecutar código arbitrario (específicamente, funciones Function0) a través de una cadena de gadgets.
A flaw was found in Scala's LazyList that permits code execution during deserialization. This issue could allow an attacker to craft a LazyList containing a malicious Function0 call to execute arbitrary code on a server that deserializes untrusted data.
Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. This release of Red Hat AMQ Streams 2.4.0 serves as a replacement for Red Hat AMQ Streams 2.3.0, and includes security and bug fixes, and enhancements. Issues addressed include denial of service, deserialization, information leakage, memory exhaustion, and resource exhaustion vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-07-27 CVE Reserved
- 2022-09-23 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- 2025-04-10 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| https://discuss.lightbend.com/t/impact-of-cve-2022-36944-on-akka-cluster-akka-actor-akka-remote/10007/2 | Third Party Advisory | |
| https://github.com/scala/scala-collection-compat/releases/tag/v2.9.0 | Release Notes |
| URL | Date | SRC |
|---|---|---|
| https://github.com/yarocher/lazylist-cve-poc | 2024-11-07 | |
| https://github.com/scala/scala/pull/10118 | 2024-08-03 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Scala-lang Search vendor "Scala-lang" | Scala Search vendor "Scala-lang" for product "Scala" | >= 2.13.0 < 2.13.9 Search vendor "Scala-lang" for product "Scala" and version " >= 2.13.0 < 2.13.9" | - |
Affected
| ||||||
| Scala-lang Search vendor "Scala-lang" | Scala-collection-compat Search vendor "Scala-lang" for product "Scala-collection-compat" | < 2.9.0 Search vendor "Scala-lang" for product "Scala-collection-compat" and version " < 2.9.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||