Lucene search

K
nvd[email protected]NVD:CVE-2022-36944
HistorySep 23, 2022 - 6:15 p.m.

CVE-2022-36944

2022-09-2318:15:10
CWE-502
web.nvd.nist.gov
1

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.008 Low

EPSS

Percentile

81.1%

Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.

Affected configurations

NVD
Node
scala-langscalaRange2.13.0–2.13.9
OR
scala-langscala-collection-compatRange<2.9.0
Node
fedoraprojectfedoraMatch35
OR
fedoraprojectfedoraMatch36

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.008 Low

EPSS

Percentile

81.1%