CVE-2022-1415

Published Sep 11, 2023

Last updated 6 months ago

CVSS high 8.8

Overview

Description: A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.
Source: secalert@redhat.com
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

nvd@nist.gov: CWE-502
secalert@redhat.com: CWE-502

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:redhat:decision_manager:7.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "68146098-58F8-417E-B165-5182527117C4"
          },
          {
            "criteria": "cpe:2.3:a:redhat:drools:7.69.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C63D3269-9F0C-44C4-AC56-FEBD51D5E780"
          },
          {
            "criteria": "cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:-:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "434B744A-9665-4340-B02D-7923FCB2B562"
          },
          {
            "criteria": "cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "20A6B40D-F991-4712-8E30-5FE008505CB7"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References