CVE-2017-15288 - High Severity Vulnerability
Vulnerable Libraries - scala-compiler-2.11.0.jar, scala-compiler-2.11.8.jar
scala-compiler-2.11.0.jar
Compiler for the Scala Programming Language
Library home page: http://www.scala-lang.org/
Path to dependency file: /dd-java-agent/instrumentation/play-2.3/play-2.3.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.11.0/75d94f0ddcabb626832a992607acb6e2d6bc2a4a/scala-compiler-2.11.0.jar
Dependency Hierarchy:
- play-test_2.11-2.3.10.jar (Root Library)
- specs2-matcher-extra_2.11-2.3.12.jar
- specs2-analysis_2.11-2.3.12.jar
- ❌ scala-compiler-2.11.0.jar (Vulnerable Library)
scala-compiler-2.11.8.jar
Compiler for the Scala Programming Language
Library home page: http://www.scala-lang.org/
Path to dependency file: /dd-java-agent/instrumentation/finatra-2.9/finatra-2.9.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.11.8/fe1285c9f7b58954c5ef6d80b59063569c065e9a/scala-compiler-2.11.8.jar
Dependency Hierarchy:
- finatra-http_2.11-2.9.0.jar (Root Library)
- finatra-jackson_2.11-2.9.0.jar
- scalap-2.11.8.jar
- ❌ scala-compiler-2.11.8.jar (Vulnerable Library)
Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079
Found in base branch: master
Vulnerability Details
The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local users to write to arbitrary class files and consequently gain privileges.
Publish Date: 2017-11-15
URL: CVE-2017-15288
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15288
Release Date: 2017-11-15
Fix Resolution (org.scala-lang:scala-compiler): 2.11.12
Direct dependency fix Resolution (com.typesafe.play:play-test_2.11): 2.4.0
Fix Resolution (org.scala-lang:scala-compiler): 2.11.12
Direct dependency fix Resolution (com.twitter:finatra-http_2.11): 18.9.1
⛑️ Automatic Remediation is available for this issue
CVE-2017-15288 - High Severity Vulnerability
scala-compiler-2.11.0.jar
Compiler for the Scala Programming Language
Library home page: http://www.scala-lang.org/
Path to dependency file: /dd-java-agent/instrumentation/play-2.3/play-2.3.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.11.0/75d94f0ddcabb626832a992607acb6e2d6bc2a4a/scala-compiler-2.11.0.jar
Dependency Hierarchy:
scala-compiler-2.11.8.jar
Compiler for the Scala Programming Language
Library home page: http://www.scala-lang.org/
Path to dependency file: /dd-java-agent/instrumentation/finatra-2.9/finatra-2.9.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.11.8/fe1285c9f7b58954c5ef6d80b59063569c065e9a/scala-compiler-2.11.8.jar
Dependency Hierarchy:
Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079
Found in base branch: master
The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local users to write to arbitrary class files and consequently gain privileges.
Publish Date: 2017-11-15
URL: CVE-2017-15288
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15288
Release Date: 2017-11-15
Fix Resolution (org.scala-lang:scala-compiler): 2.11.12
Direct dependency fix Resolution (com.typesafe.play:play-test_2.11): 2.4.0
Fix Resolution (org.scala-lang:scala-compiler): 2.11.12
Direct dependency fix Resolution (com.twitter:finatra-http_2.11): 18.9.1
⛑️ Automatic Remediation is available for this issue