Main Vulnerability Database Vulnerabilities #VU16559

Privilege escalation in Scala - CVE-2017-15288

Published: December 15, 2018 / Updated: December 17, 2018

Vulnerability identifier: #VU16559

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-15288

CWE-ID: CWE-264

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Scala

Affected software:
Scala

Detailed vulnerability description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to the compilation daemon uses weak permissions for private files in /tmp/scala-devel/${USER:shared}/scalac-compile-server-port. A local attacker can write to arbitrary class files and consequently gain privileges.

How to mitigate CVE-2017-15288

The vulnerability has been fixed in the versions 2.10.7, 2.11.12, 2.12.4.

Sources

https://www.scala-lang.org/news/security-update-nov17.html

Privilege escalation in Scala - CVE-2017-15288

Detailed vulnerability description

How to mitigate CVE-2017-15288

Sources

Please verify you're human