CVE-2022-1415

HIGH

Redhat Decision Manager < 7.69.0.Final - Insecure Deserialization

Title source: rule

Description

A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.

References (3)

Core 3

Core References

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2022:6813

Vendor Advisory vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2022-1415

Issue Tracking, Vendor Advisory issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2065505

Scores

CVSS v3 8.1

EPSS 0.0083

EPSS Percentile 74.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-502

Status published

Products (5)

org.drools/drools-core 0 - 7.69.0.FinalMaven

redhat/decision_manager 7.0

redhat/drools 7.69.0

redhat/jboss_middleware_text-only_advisories

redhat/process_automation 7.0

Published Sep 11, 2023

Tracked Since Feb 18, 2026