Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tNXE4LTU4d2gteHhxNM4AA1za
Drools Core Deserialization of Untrusted Data vulnerability
A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.
Permalink: https://github.com/advisories/GHSA-m5q8-58wh-xxq4JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tNXE4LTU4d2gteHhxNM4AA1za
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 8 months ago
Updated: about 16 hours ago
CVSS Score: 6.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-m5q8-58wh-xxq4, CVE-2022-1415
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-1415
- https://access.redhat.com/errata/RHSA-2022:6813
- https://access.redhat.com/security/cve/CVE-2022-1415
- https://bugzilla.redhat.com/show_bug.cgi?id=2065505
- https://github.com/advisories/GHSA-m5q8-58wh-xxq4
Affected Packages
maven:org.drools:drools-core
Dependent packages: 419Dependent repositories: 2,495
Downloads:
Affected Version Ranges: < 7.69.0.Final
Fixed in: 7.69.0.Final
All affected versions:
All unaffected versions: 5.0.1, 5.1.0, 5.1.1