CVE-2022-1415

MEDIUM6.8EPSS 0.83%

Drools Core Deserialization of Untrusted Data vulnerability

Published: 9/11/2023Modified: 5/3/2024

Description

A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.

Affected packages (1)

Maven/org.drools:drools-corefrom 0, < 7.69.0.Final

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.8	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-1415
WEBhttps://access.redhat.com/errata/RHSA-2022:6813
WEBhttps://access.redhat.com/security/cve/CVE-2022-1415
WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2065505