Description

Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.

Remediation

References

https://camel.apache.org/security/CVE-2020-11972.html

http://www.openwall.com/lists/oss-security/2020/05/14/8

http://www.openwall.com/lists/oss-security/2020/05/14/10

https://www.oracle.com/security-alerts/cpuoct2020.html

https://www.oracle.com/security-alerts/cpujan2021.html

Related Vulnerabilities

CVE-2022-43396 Vulnerability in maven package org.apache.kylin:kylin-spark-engine

CVE-2023-26105 Vulnerability in npm package utilities

CVE-2022-41940 Vulnerability in maven package org.webjars.npm:engine.io

CVE-2020-7238 Vulnerability in maven package io.netty:netty-codec-http

CVE-2023-41058 Vulnerability in npm package parse-server

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Mailing List Third Party Advisory