CVE-2022-1415: Deserialization of Untrusted Data

September 11, 2023 (updated November 7, 2023)

A flaw was found where some utility classes in Drools core does not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.

References

access.redhat.com/errata/RHSA-2022:6813
access.redhat.com/security/cve/CVE-2022-1415
bugzilla.redhat.com/show_bug.cgi?id=2065505
nvd.nist.gov/vuln/detail/CVE-2022-1415

Code Behaviors & Features

Detect and mitigate CVE-2022-1415 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →