#45892 – CVE-2022-36944 Scala 2.13.x

Bug 45892 - CVE-2022-36944 Scala 2.13.x

Summary: CVE-2022-36944 Scala 2.13.x

Status:	CLOSED FIXED

Alias:	None

Product:	Sisyphus
Classification:	Development
Component:	scala (show other bugs)
Version:	unstable
Hardware:	all Linux

Importance:	P5 critical
Assignee:	viy
QA Contact:	qa-sisyphus

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-04-18 10:40 MSK by Владимир
Modified:	2023-09-25 12:56 MSK (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Владимир 2023-04-18 10:40:38 MSK

CVE-2022-36944	Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.	
BDU:2023-00169	Уязвимость интерпретатора языка программирования Scala, связанная с ошибками при десериализации данных, позволяющая нарушителю выполнить произвольный код.
https://github.com/scala/scala/pull/10118

Comment 1 Alexander Makeenkov 2023-04-18 10:43:13 MSK

В p10, как и в сизифе версия 2.13.5

Comment 2 Andrey Cherepanov 2023-09-25 12:56:11 MSK

2.13.9-alt2 собрано 22 сентября 2023 г. Andrey Cherepanov в задании #330105
22 сентября 2023 г. Andrey Cherepanov
- Build without bootstrapping.