Bug 2065505 (CVE-2022-1415) - CVE-2022-1415 drools: unsafe data deserialization in StreamUtils
Summary: CVE-2022-1415 drools: unsafe data deserialization in StreamUtils
Keywords:
Status: NEW
Alias: CVE-2022-1415
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2036926
TreeView+ depends on / blocked
 
Reported: 2022-03-18 01:37 UTC by Chess Hazlett
Modified: 2024-05-03 18:49 UTC (History)
62 users (show)

Fixed In Version: drools 7.69.0.Final
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Chess Hazlett 2022-03-18 01:37:24 UTC 
It was found that some utility classes in Drools core did not use proper safeguards when deserializing data. An authed attacker could construct malicious serialized objects (usually called gadgets) and use this flaw to achieve code execution on the server.
Note You need to log in before you can comment on or make changes to this bug.