CVE-2010-3708: Drools Improper Input Validation vulnerability allows remote attackers to execute arbitrary code in JBoss EAP
7.5
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.84419%
CWE
Published
5/17/2022
Updated
2/2/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.drools:drools-core | maven | < 4.0.7 | 4.0.7 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability centers on unsafe deserialization allowing class file embedding. Key functions would be in the marshalling layer where serialized data is processed. While exact patch details are unavailable, historical patterns show that:
- Marshaller.readObject() is the primary deserialization entry point
- readResolve() methods control object replacement during deserialization
- The vulnerability description explicitly mentions class file embedding and static initializers, which would be triggered during class loading in these methods
- The fix in Drools 4.0.7 likely added allow-list validation in these critical deserialization paths to prevent arbitrary class loading