CVE-2020-11972 Vulnerability in maven package org.apache.camel:camel-rabbitmq

Description

Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/05/14/10

http://www.openwall.com/lists/oss-security/2020/05/14/8

https://camel.apache.org/security/CVE-2020-11972.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpuoct2020.html

Related Vulnerabilities

CVE-2020-17521 Vulnerability in maven package org.codehaus.groovy:groovy

CVE-2020-7691 Vulnerability in maven package org.webjars.npm:jspdf

CVE-2021-3859 Vulnerability in maven package io.undertow:undertow-core

CVE-2022-0672 Vulnerability in maven package org.eclipse.lemminx:lemminx-parent

CVE-2020-15256 Vulnerability in maven package org.webjars.npm:object-path

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H