CVE-2022-1415

A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2022:6813	Vendor Advisory
https://access.redhat.com/security/cve/CVE-2022-1415	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2065505	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:decision_manager:7.0:::::::*
	cpe:2.3:a:redhat:drools:7.69.0:::::::*
	cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:-:::::::*
	cpe:2.3:a:redhat:process_automation:7.0:::::::*

History

14 Sep 2023, 02:26

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
CPE		cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:-:::::::* cpe:2.3:a:redhat:drools:7.69.0:::::::* cpe:2.3:a:redhat:decision_manager:7.0:::::::* cpe:2.3:a:redhat:process_automation:7.0:::::::*
First Time		Redhat decision Manager Redhat drools Redhat process Automation Redhat Redhat jboss Middleware Text-only Advisories
CWE		CWE-502
References	~~(MISC) https://access.redhat.com/errata/RHSA-2022:6813 -~~	(MISC) https://access.redhat.com/errata/RHSA-2022:6813 - Vendor Advisory
References	~~(MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2065505 -~~	(MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2065505 - Issue Tracking, Vendor Advisory
References	~~(MISC) https://access.redhat.com/security/cve/CVE-2022-1415 -~~	(MISC) https://access.redhat.com/security/cve/CVE-2022-1415 - Vendor Advisory

11 Sep 2023, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-11 21:15

Updated : 2023-12-10 15:14

NVD link : CVE-2022-1415

Mitre link : CVE-2022-1415

CVE.ORG link : CVE-2022-1415

JSON object : View

Products Affected

redhat

process_automation
decision_manager
drools
jboss_middleware_text-only_advisories

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2022-1415", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.6}]}, "published": "2023-09-11T21:15:41.483", "references": [{"url": "https://access.redhat.com/errata/RHSA-2022:6813", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/security/cve/CVE-2022-1415", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2065505", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en la que algunas clases de utilidad en el n\u00facleo de Drools no usaban las medidas de seguridad adecuadas al deserializar datos. Esta falla permite a un atacante autenticado construir objetos serializados maliciosos (generalmente llamados gadgets) y lograr la ejecuci\u00f3n de c\u00f3digo en el servidor."}], "lastModified": "2023-11-07T03:41:55.673", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:decision_manager:7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "68146098-58F8-417E-B165-5182527117C4"}, {"criteria": "cpe:2.3:a:redhat:drools:7.69.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C63D3269-9F0C-44C4-AC56-FEBD51D5E780"}, {"criteria": "cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "434B744A-9665-4340-B02D-7923FCB2B562"}, {"criteria": "cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20A6B40D-F991-4712-8E30-5FE008505CB7"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}