Description

Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/05/14/10

http://www.openwall.com/lists/oss-security/2020/05/14/8

https://camel.apache.org/security/CVE-2020-11972.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpuoct2020.html

Related Vulnerabilities

CVE-2023-3894 Vulnerability in maven package com.fasterxml.jackson.dataformat:jackson-dataformat-properties

CVE-2020-2291 Vulnerability in maven package org.jenkins-ci.plugins:couchdb-statistics

CVE-2020-11620 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2018-8010 Vulnerability in maven package org.apache.solr:solr-core

CVE-2020-2193 Vulnerability in maven package io.jenkins.plugins:echarts-api

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory