CVE-2017-15288: Incorrect Permission Assignment for Critical Resource

October 19, 2018 (updated September 16, 2021)

The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local users to write to arbitrary class files and consequently gain privileges.

References

github.com/advisories/GHSA-qvxv-pmq9-4q7g
github.com/scala/scala/pull/6108
github.com/scala/scala/pull/6120
github.com/scala/scala/pull/6128
nvd.nist.gov/vuln/detail/CVE-2017-15288

Detect and mitigate CVE-2017-15288 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →