CVE-2022-1415 – Drools: unsafe data deserialization in streamutils
https://notcve.org/view.php?id=CVE-2022-1415
A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server. Se encontró una falla en la que algunas clases de utilidad en el núcleo de Drools no usaban las medidas de seguridad adecuadas al deserializar datos. Esta falla permite a un atacante autenticado construir objetos serializados maliciosos (generalmente llamados gadgets) y lograr la ejecución de código en el servidor. • https://access.redhat.com/errata/RHSA-2022:6813 https://access.redhat.com/security/cve/CVE-2022-1415 https://bugzilla.redhat.com/show_bug.cgi?id=2065505 • CWE-502: Deserialization of Untrusted Data •
CVE-2016-7041 – Workbench: Path traversal vulnerability
https://notcve.org/view.php?id=CVE-2016-7041
Drools Workbench contains a path traversal vulnerability. The vulnerability allows a remote, authenticated attacker to bypass the directory restrictions and retrieve arbitrary files from the affected host. Drools Workbench contiene una vulnerabilidad de salto de directorio. La vulnerabilidad permite que un atacante autenticado remoto omita las restricciones del directorio y recupere archivos arbitrarios desde el host afectado Drools Workbench contains the path traversal vulnerability. The vulnerability allows a remote, authenticated attacker to bypass the directory restrictions and retrieve arbitrary files from the affected host. • http://rhn.redhat.com/errata/RHSA-2016-2822.html http://rhn.redhat.com/errata/RHSA-2016-2823.html http://rhn.redhat.com/errata/RHSA-2016-2937.html http://rhn.redhat.com/errata/RHSA-2016-2938.html http://www.securityfocus.com/bid/94566 http://www.securitytracker.com/id/1037406 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7041 https://access.redhat.com/security/cve/CVE-2016-7041 https://bugzilla.redhat.com/show_bug.cgi?id=1375757 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2013-6468 – Drools: Remote Java Code Execution in MVEL
https://notcve.org/view.php?id=CVE-2013-6468
JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM Suite before 6.0.1 allows remote authenticated users to execute arbitrary Java code via a (1) MVFLEX Expression Language (MVEL) or (2) Drools expression. JBoss Drools, Red Hat JBoss BRMS anterior a 6.0.1 y Red Hat JBoss BPM Suite anterior a 6.0.1 permite a usuarios remotos autenticados ejecutar código Java arbitrario a través de una expresión (1) MVFLEX Expression Language (MVEL) o (2) Drools • http://rhn.redhat.com/errata/RHSA-2014-0371.html http://rhn.redhat.com/errata/RHSA-2014-0372.html http://secunia.com/advisories/57716 http://secunia.com/advisories/57719 https://access.redhat.com/security/cve/CVE-2013-6468 https://bugzilla.redhat.com/show_bug.cgi?id=1051261 • CWE-94: Improper Control of Generation of Code ('Code Injection') •