Vulnerabilities > CVE-2022-1415 - Deserialization of Untrusted Data vulnerability in Redhat products

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

redhat

CWE-502

NVD

Published: 2023-09-11

Updated: 2024-05-03

Summary

A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.

Vulnerable Configurations

Part	Description	Count
Application	Redhat Redhat Decision Manager 7.0 Redhat Process Automation 7.0 Redhat Jboss Middleware Text Only Advisories - Redhat Drools 7.69.0	4

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

https://bugzilla.redhat.com/show_bug.cgi?id=2065505
https://access.redhat.com/errata/RHSA-2022:6813
https://access.redhat.com/security/cve/CVE-2022-1415