CVE-2021-41411

Published: Jun 16, 2022Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.

Affected (1)

Products: Redhat: Drools

Redhat

1 product

Drools

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Drools	Before 7.6.0

Related CWEs

CWE-611

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (2)

https://github.com/kiegroup/drools/pull/3808

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/kiegroup/drools/pull/3808

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.