Description
A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.
Remediation
References
https://access.redhat.com/errata/RHSA-2022:6813
https://access.redhat.com/security/cve/CVE-2022-1415
https://bugzilla.redhat.com/show_bug.cgi?id=2065505
Related Vulnerabilities
CVE-2019-10361 Vulnerability in maven package org.jenkins-ci.plugins.m2release:m2release
CVE-2021-21343 Vulnerability in maven package com.thoughtworks.xstream:xstream
CVE-2018-1000406 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2018-1000147 Vulnerability in maven package org.jvnet.hudson.plugins:perforce
CVE-2023-25762 Vulnerability in maven package org.jenkins-ci.plugins:pipeline-build-step