Lucene search
RedhatCVELIST:CVE-2022-1415HistorySep 11, 2023 - 8:20 p.m.
CVE-2022-1415 Drools: unsafe data deserialization in streamutils
2023-09-1120:20:23
CWE-502
redhat
www.cve.org
2
cve-2022-1415
drools
data deserialization
streamutils
code execution
server vulnerability
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.9 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
26.3%
A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.
CNA Affected
[
{
"vendor": "Red Hat",
"product": "RHPAM 7.13.1 async",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Apache Camel for Spring Boot",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "drools-core",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:camel_spring_boot:3"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Quarkus",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "drools-core",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:quarkus:2"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Decision Manager 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "drools-core",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_brms_platform:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Integration Camel K",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "drools-core",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:integration:1"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Integration Camel Quarkus",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "drools-core",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:camel_quarkus:2"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Data Grid 7",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "drools-core",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:jboss_data_grid:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Data Virtualization 6",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "drools-core",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:jboss_data_virtualization:6"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 6",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "drools-core",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:6"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 7",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "drools-core",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "drools-core",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:jbosseapxp"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Fuse 6",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "drools-core",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:jboss_fuse:6"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Fuse 7",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "drools-core",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:jboss_fuse:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Fuse Service Works 6",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "drools-core",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:jboss_fuse_service_works:6"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Process Automation 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "drools-core",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
]
}
]Related
osv
osv
Drools Core Deserialization of Untrusted Data vulnerability
2023-09-11 21:30:17
CVE-2022-1415
2023-09-11 21:15:41
prion
prion
Design/Logic Flaw
2023-09-11 21:15:00
nvd
nvd
CVE-2022-1415
2023-09-11 21:15:41
github
github
Drools Core Deserialization of Untrusted Data vulnerability
2023-09-11 21:30:17
veracode
veracode
Deserialization Of Untrusted Data
2022-11-08 05:37:24
redhatcve
redhatcve
CVE-2022-1415
2022-10-29 00:16:47
cve
cve
CVE-2022-1415
2023-09-11 21:15:41
ibm
ibm
redhat
redhat
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.9 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
26.3%
Related for CVELIST:CVE-2022-1415