scala-library is vulnerable to deserialization of untrusted data. The vulnerability exists because the readObject
function in the LazyList.scala
allows an attacker to erase the contents of arbitrary files, make network connections, or possibly run arbitrary code on Function0
via a gadget chain.
discuss.lightbend.com/t/impact-of-cve-2022-36944-on-akka-cluster-akka-actor-akka-remote/10007/2
github.com/advisories/GHSA-8qv5-68g4-248j
github.com/scala/scala-collection-compat/releases/tag/v2.9.0
github.com/scala/scala/commit/f24c226211eb340c999d810013efbff35a49863f
github.com/scala/scala/pull/10118
lists.fedoraproject.org/archives/list/[email protected]/message/6ZOZVWY3X72FZZCCRAKRJYTQOJ6LUD6Z/
lists.fedoraproject.org/archives/list/[email protected]/message/L3WMKPFAMFQE3HJVRQ5KOJUTWG264SXI/
www.scala-lang.org/download/