GHSA-8qv5-68g4-248j

Suggest an improvement
Source
https://github.com/advisories/GHSA-8qv5-68g4-248j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-8qv5-68g4-248j/GHSA-8qv5-68g4-248j.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8qv5-68g4-248j
Aliases
Published
2022-09-25T00:00:20Z
Modified
2024-02-17T05:36:08.723405Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Scala subject to file deletion, code execution due to Java deserialization chain with LazyList object deserialization
Details

Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with LazyList object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.

Database specific 
{
    "nvd_published_at": "2022-09-23T18:15:00Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-28T14:10:01Z"
}
References

Affected packages

Maven / org.scala-lang:scala-library

Package

Name
org.scala-lang:scala-library
View open source insights on deps.dev
Purl
pkg:maven/org.scala-lang/scala-library

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.13.0
Fixed
2.13.9

Affected versions

2.*

2.13.0
2.13.1
2.13.2
2.13.3
2.13.4
2.13.5
2.13.6
2.13.7
2.13.8