CVE-2017-15288 Information

Feb 14, 2021 cve

Description

The compilation daemon in Scala before 2.10.7 2.11.x before 2.11.12 and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/$USER:shared/scalac-compile-server-port which allows local users to write to arbitrary class files and consequently gain privileges.

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

http://scala-lang.org/news/security-update-nov17.html https://github.com/scala/scala/pull/6108 https://github.com/scala/scala/pull/6120 https://github.com/scala/scala/pull/6128 https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@3Cissues.activemq.apache.org3E https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@3Cdev.drill.apache.org3E https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@3Cdev.drill.apache.org3E https://security.gentoo.org/glsa/201812-08

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.8

Share on: