CVE-2022-1415 – org.drools:drools-core

Package

Manager: maven
Name: org.drools:drools-core
Vulnerable Version: >=0 <7.69.0.final

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00632 pctl0.69449

Details

Drools Core Deserialization of Untrusted Data vulnerability A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.

Metadata

Created: 2023-09-11T21:30:17Z
Modified: 2024-05-03T20:22:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-m5q8-58wh-xxq4/GHSA-m5q8-58wh-xxq4.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-m5q8-58wh-xxq4
Finding: F096
Auto approve: 1