CVE-2022-36944
Scala subject to file deletion, code execution due to Java deserialization chain with LazyList object deserialization
9.8
CRITICAL
CVSS 3.1
EPSS 67.8%
描述
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with LazyList object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.
如何修補 CVE-2022-36944
要修補 CVE-2022-36944,請將受影響套件升級到下列已修補版本。
- —升級至 2.13.9 或更新版本
CVE-2022-36944 正在被利用嗎?
可能 — EPSS 為 67.8%,屬於高被利用機率區間,建議優先修補。
受影響套件(1)
- >= 2.13.0, < 2.13.9
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |