CVE-2022-1415

A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.

Published: Sep 11, 2023
Updated: May 10, 2024
CVE: CVE-2022-1415
GHSA: GHSA-m5q8-58wh-xxq4
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
org.drools / drools-core	-	7.69.0.Final
redhat / decision_manager	7.0	7.0.x
redhat / process_automation	7.0	7.0.x
redhat / drools	7.69.0	7.69.0.x

https://access.redhat.com/errata/RHSA-2022:6813
https://access.redhat.com/security/cve/CVE-2022-1415
https://bugzilla.redhat.com/show_bug.cgi?id=2065505

Vulnerability Database

289,598

CVE-2022-1415