CVE-2021-41411

CWE-611 — XML External Entity (XXE)6 documents6 sources

Severity

9.8CRITICAL

EPSS

0.3%

top 46.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Drools

Timeline

PublishedJun 16

Latest updateJan 15

Description

drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDredhat/drools< 7.6.0

▶Mavenorg.drools:drools-core< 7.60.0.Final

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

XML External Entity Reference in drools↗2022-06-17

▶

GHSA

XML External Entity Reference in drools↗2022-06-17

▶

CVEList

CVE-2021-41411: drools <=7↗2022-06-16

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Applications Risk Matrix: Rulesets (XStream) — CVE-2021-41411↗2023-01-15

▶

Red Hat

drools-compiler: XML External Entity vulnerability in KieModuleMarshaller.java↗2021-08-30

▶