Miggo Logo
Miggo Vulnerability Database
CVE-2017-15288

CVE-2017-15288: High severity vulnerability that affects org.scala-lang:scala-compiler

7.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2017-15288
GHSA ID
GHSA-qvxv-pmq9-4q7g
EPSS Score
0.36684%
CWE
CWE-732
Published
10/19/2018
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.scala-lang:scala-compilermaven< 2.10.72.10.7
org.scala-lang:scala-compilermaven>= 2.11.0, < 2.11.122.11.12
org.scala-lang:scala-compilermaven>= 2.12.0, < 2.12.42.12.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from insecure file permissions in temporary directories. Key evidence comes from: 1) The CWE-732 mapping (Incorrect Permission Assignment) 2) Patch commits moving files to ~/.scalac and adding OwnerOnlyChmod 3) Code comments about 'weak permissions' in /tmp/scala-devel 4) Security advisory explicitly mentioning the /tmp/scala-devel path. The identified functions are directly involved in creating and securing these temporary files, with the original implementations lacking proper permission hardening.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *ompil*tion ***mon in S**l* ***or* *.**.*, *.**.x ***or* *.**.**, *n* *.**.x ***or* *.**.* us*s w**k p*rmissions *or priv*t* *il*s in /tmp/s**l*-**v*l/${US*R:s**r**}/s**l**-*ompil*-s*rv*r-port, w*i** *llows lo**l us*rs to writ* to *r*itr*ry *l*ss

Reasoning

T** vuln*r**ility st*mm** *rom ins**ur* *il* p*rmissions in t*mpor*ry *ir**tori*s. K*y *vi**n** *om*s *rom: *) T** *W*-*** m*ppin* (In*orr**t P*rmission *ssi*nm*nt) *) P*t** *ommits movin* *il*s to `~/.s**l**` *n* ***in* `Own*rOnly**mo*` *) *o** *omm