CVE-2022-1415

HIGH

Redhat Decision Manager < 7.69.0.Final - Insecure Deserialization

Title source: rule

Description

A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.

References (3)

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2022:6813

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2022-1415

[Issue Tracking, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=2065505

Scores

CVSS v3 8.1

EPSS 0.0083

EPSS Percentile 74.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Classification

CWE

CWE-502

Status published

Affected Products (5)

redhat/decision_manager

redhat/drools

redhat/jboss_middleware_text-only_advisories

redhat/process_automation

org.drools/drools-core < 7.69.0.FinalMaven

Timeline

Published Sep 11, 2023

Tracked Since Feb 18, 2026