Description

A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.

Remediation

References

https://access.redhat.com/errata/RHSA-2022:6813

https://access.redhat.com/security/cve/CVE-2022-1415

https://bugzilla.redhat.com/show_bug.cgi?id=2065505

Related Vulnerabilities

CVE-2019-16771 Vulnerability in maven package com.linecorp.armeria:armeria

CVE-2022-43670 Vulnerability in maven package org.apache.sling:org.apache.sling.cms

CVE-2023-2850 Vulnerability in npm package nodebb

CVE-2023-33201 Vulnerability in maven package org.bouncycastle:bcprov-jdk18on

CVE-2020-10686 Vulnerability in maven package org.keycloak:keycloak-model-jpa

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Issue Tracking