Lucene search

K

Scala 2.x Privilege Escalation Vulnerability

🗓️ 15 Nov 2017 00:00:00Reported by Jason ZauggType 
zdt
 zdt
🔗 0day.today👁 29 Views

Privilege Escalation Vulnerability in Scala 2.x Compilation Daemo

Show more
Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus
GLSA-201812-08 : Scala: Privilege escalation
17 Dec 201800:00
nessus
OSV
CVE-2017-15288
15 Nov 201716:29
osv
OSV
High severity vulnerability that affects org.scala-lang:scala-compiler
19 Oct 201816:51
osv
RedhatCVE
CVE-2017-15288
23 Nov 201715:19
redhatcve
CVE
CVE-2017-15288
15 Nov 201716:29
cve
Debian CVE
CVE-2017-15288
15 Nov 201716:29
debiancve
Github Security Blog
High severity vulnerability that affects org.scala-lang:scala-compiler
19 Oct 201816:51
github
NVD
CVE-2017-15288
15 Nov 201716:29
nvd
UbuntuCve
CVE-2017-15288
15 Nov 201700:00
ubuntucve
Prion
Design/Logic Flaw
15 Nov 201716:29
prion
Rows per page
A privilege escalation vulnerability has been identified in the Scala compilation daemon.

The compile daemon is started explicitly by the `fsc` command, or implicitly by executing
a Scala source file as a script (e.g `scala MyScript.scala`). Note: Using the `scala`
command to start a REPL or to run a pre-compiled class does not start the compile daemon.

# Impact

While the compile daemon is running, an attacker with local access to the machine can
execute code as the user that started the compile daemon, and can write arbitrary
class files to any location on the filesystem that the user has access to.

# Affected Versions

  - Scala 2.1.6-2.10.6; 2.11.0-2.11.11; 2.12.0-2.12.3

# Mitigation

  - Use `scala -nocompdaemon MyScript.scala` rather than `scala MyScript.scala` to
    disable the implicit startup and use of the daemon. 
  - Avoid explicitly starting `fsc` 
  - Upgrade to Scala 2.10.7 2.11.12, 2.12.4 or higher which restricts the sensitive file to be
    readable only by the owner. These releases also change the location of the sensitive
    file: it is written in the directory `$HOME/.scalac`.

Announcement: http://scala-lang.org/news/security-update-nov17.html

Scala Downloads: http://scala-lang.org/download/

#  0day.today [2018-03-19]  #

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
15 Nov 2017 00:00Current
7.7High risk
Vulners AI Score7.7
EPSS0.0004
29
.json
Report