Miggo Logo
Miggo Vulnerability Database
CVE-2022-36944

CVE-2022-36944: Scala subject to file deletion, code execution due to Java deserialization chain with LazyList object deserialization

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-36944
GHSA ID
GHSA-8qv5-68g4-248j
EPSS Score
0.98606%
CWE
CWE-502
Published
9/25/2022
Updated
1/31/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.scala-lang:scala-librarymaven>= 2.13.0, < 2.13.92.13.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe deserialization handling in LazyList's SerializationProxy. The original implementation (before 2.13.9) used 'tail.prependedAll(init)' during deserialization, which could trigger evaluation of a forged Function0 (lazyState) from the deserialized tail. The GitHub PR #10118 specifically modifies this deserialization path to use 'stateFromIteratorConcatSuffix' instead, preventing immediate Function0 execution. This matches the CVE description of Function0-based gadget chain exploitation during LazyList deserialization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S**l* *.**.x ***or* *.**.* **s * J*v* **s*ri*liz*tion ***in in its J*R *il*. On its own, it **nnot ** *xploit**. T**r* is only * risk in *onjun*tion wit* L*zyList o*j**t **s*ri*liz*tion wit*in *n *ppli**tion. In su** situ*tions, it *llows *tt**k*rs t

Reasoning

T** vuln*r**ility st*ms *rom uns*** **s*ri*liz*tion **n*lin* in L*zyList's S*ri*liz*tionProxy. T** ori*in*l impl*m*nt*tion (***or* *.**.*) us** 't*il.pr*p*n****ll(init)' *urin* **s*ri*liz*tion, w*i** *oul* tri***r *v*lu*tion o* * *or*** `*un*tion*` (