CVE-2022-36944 Information

Description

Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own it cannot be exploited. There is only a risk in conjunction with LazyList object deserialization within an application. In such situations it allows attackers to erase contents of arbitrary files make network connections or possibly run arbitrary code (specifically Function0 functions) via a gadget chain.

Reference

https://www.scala-lang.org/download/ https://github.com/scala/scala/pull/10118