CVE-2022-1415

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Drools (affected versions not specified)

Description A flaw was found in Drools core where some utility classes did not use proper safeguards when deserializing data. This allows an authenticated attacker to construct malicious serialized objects, usually called gadgets, and achieve code execution on the server. The vulnerability is related to the restoration of untrusted data in memory, which can be exploited by a remote attacker to execute arbitrary code.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

BDU:2022-06568

CVE-2022-1415

GHSA-M5Q8-58WH-XXQ4

SUSE-SU-2023:0345-1

SUSE-SU-2023:0373-1

SUSE-SU-2023:0592-1

Affected Products

Drools

Suse

CVE-2022-1415

Weakness Enumeration

Related Identifiers

Affected Products

References · 105