Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xdnE2LWN3NTMtcm13Z84AAgD2
Drools Improper Input Validation vulnerability allows remote attackers to execute arbitrary code in JBoss EAP
The serialization implementation in JBoss Drools in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3 before 4.3.0.CP09 and JBoss Enterprise SOA Platform 4.2 and 4.3 supports the embedding of class files, which allows remote attackers to execute arbitrary code via a crafted static initializer.
The maintainers of JBoss EAP patched the vulnerability by applying a fix from Drools 4.0.7.
Permalink: https://github.com/advisories/GHSA-qvq6-cw53-rmwgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xdnE2LWN3NTMtcm13Z84AAgD2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-qvq6-cw53-rmwg, CVE-2010-3708
References:
- https://nvd.nist.gov/vuln/detail/CVE-2010-3708
- https://bugzilla.redhat.com/show_bug.cgi?id=633859
- https://issues.jboss.org/browse/SOA-2319
- http://www.redhat.com/support/errata/RHSA-2010-0937.html
- http://www.redhat.com/support/errata/RHSA-2010-0938.html
- http://www.redhat.com/support/errata/RHSA-2010-0939.html
- http://www.redhat.com/support/errata/RHSA-2010-0940.html
- https://web.archive.org/web/20111025030056/http://securitytracker.com/id?1024813
- https://github.com/advisories/GHSA-qvq6-cw53-rmwg
Affected Packages
maven:org.drools:drools-core
Dependent packages: 419Dependent repositories: 2,495
Downloads:
Affected Version Ranges: < 4.0.7
Fixed in: 4.0.7
All affected versions:
All unaffected versions: 5.0.1, 5.1.0, 5.1.1