CVE-2010-3708

CWE-20Improper Input ValidationCWE-502Deserialization of Untrusted Data6 documents6 sources
Severity
7.5HIGH
EPSS
2.4%
top 14.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat Jboss Enterprise Application PlatformRedhat Jboss Enterprise SOA Platform
Timeline
PublishedDec 30
Latest updateMay 17

Description

The serialization implementation in JBoss Drools in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3 before 4.3.0.CP09 and JBoss Enterprise SOA Platform 4.2 and 4.3 supports the embedding of class files, which allows remote attackers to execute arbitrary code via a crafted static initializer.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

Mavenorg.drools:drools-core< 4.0.7

🔴Vulnerability Details

3
OSV
Drools Improper Input Validation vulnerability allows remote attackers to execute arbitrary code in JBoss EAP2022-05-17
GHSA
Drools Improper Input Validation vulnerability allows remote attackers to execute arbitrary code in JBoss EAP2022-05-17
CVEList
CVE-2010-3708: The serialization implementation in JBoss Drools in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 42010-12-30

📋Vendor Advisories

1
Red Hat
JBoss drools deserialization remote code execution2010-12-01

💬Community

1
Bugzilla
CVE-2010-3708 JBoss drools deserialization remote code execution2010-09-14
CVE-2010-3708 (HIGH CVSS 7.5) | The serialization implementation in | cvebase.io