Vulnerability CVE-2017-15288
Published: 2017-11-15

Description:
The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local users to write to arbitrary class files and consequently gain privileges.

Type:

CWE-732

CVSS2 => (AV:L/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.2/10
10/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Scala-lang -> Scala 

 References:
http://scala-lang.org/news/security-update-nov17.html
https://github.com/scala/scala/pull/6108
https://github.com/scala/scala/pull/6120
https://github.com/scala/scala/pull/6128
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
https://security.gentoo.org/glsa/201812-08
Copyright 2024, cxsecurity.com

 

Back to Top