Description
A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.
Remediation
References
https://access.redhat.com/errata/RHSA-2022:6813
https://access.redhat.com/security/cve/CVE-2022-1415
https://bugzilla.redhat.com/show_bug.cgi?id=2065505
Related Vulnerabilities
CVE-2015-5171 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-common
CVE-2022-36095 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates
CVE-2022-43426 Vulnerability in maven package io.jenkins.plugins:s3explorer
CVE-2024-4367 Vulnerability in maven package org.webjars.bower:pdfjs-dist
CVE-2022-36098 Vulnerability in maven package org.xwiki.platform:xwiki-platform-mentions-ui