CVE-2022-1415

CWE-502 — Deserialization of Untrusted Data7 documents5 sources

Severity

8.8HIGH

EPSS

0.8%

top 25.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

3

Redhat Decision Manager Redhat Drools Redhat Process Automation

Timeline

PublishedSep 11

Latest updateDec 9

Description

A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages4 packages

▶Mavenorg.drools:drools-core< 7.69.0.Final

▶NVDredhat/drools7.69.0

▶NVDredhat/decision_manager7.0

▶NVDredhat/process_automation7.0

🔴Vulnerability Details

4

OSV

RISC-V: Make port I/O string accessors actually work↗2025-12-09

▶

GHSA

Drools Core Deserialization of Untrusted Data vulnerability↗2023-09-11

▶

CVEList

Drools: unsafe data deserialization in streamutils↗2023-09-11

▶

OSV

Drools Core Deserialization of Untrusted Data vulnerability↗2023-09-11

▶

📋Vendor Advisories

1

Red Hat

drools: unsafe data deserialization in StreamUtils↗2022-10-28

▶