data-prepper icon indicating copy to clipboard operation
data-prepper copied to clipboard

Published 20 hours ago verified publisher icon opensearch-project

CVE-2022-36944 (High) detected in scala-library-2.13.8.jar, scala-library-2.13.6.jar

Open mend-for-github-com[bot] opened this issue 3 years ago • 0 comments

CVE-2022-36944 - High Severity Vulnerability

Vulnerable Libraries - scala-library-2.13.8.jar, scala-library-2.13.6.jar

scala-library-2.13.8.jar

Standard library for the Scala Programming Language

Library home page: https://www.scala-lang.org/

Path to dependency file: /performance-test/build.gradle

Path to vulnerable library: /e/caches/modules-2/files-2.1/org.scala-lang/scala-library/2.13.8/5a865f03a794b27e6491740c4c419a19e4511a3d/scala-library-2.13.8.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-library/2.13.8/5a865f03a794b27e6491740c4c419a19e4511a3d/scala-library-2.13.8.jar

Dependency Hierarchy:

  • :x: scala-library-2.13.8.jar (Vulnerable Library)
scala-library-2.13.6.jar

Standard library for the Scala Programming Language

Library home page: https://www.scala-lang.org/

Path to dependency file: /performance-test/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-library/2.13.6/ed7a2f528c7389ea65746c22a01031613d98ab3d/scala-library-2.13.6.jar

Dependency Hierarchy:

  • zinc_2.13-1.6.1.jar (Root Library)
    • :x: scala-library-2.13.6.jar (Vulnerable Library)

Found in HEAD commit: 90bdaa7e7833bdd504c817e49d4434b4d8880f56

Found in base branch: main

Vulnerability Details

Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.

Publish Date: 2022-09-23

URL: CVE-2022-36944

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-09-23

Fix Resolution: org.scala-lang:scala-library:2.13.9

  • [ ] Check this box to open an automated fix PR

mend-for-github-com[bot] avatar Oct 03 '22 21:10 mend-for-github-com[bot]