Description
Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
Remediation
References
http://www.openwall.com/lists/oss-security/2020/05/14/10
http://www.openwall.com/lists/oss-security/2020/05/14/8
https://camel.apache.org/security/CVE-2020-11972.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuoct2020.html
Related Vulnerabilities
CVE-2020-28248 Vulnerability in npm package png-img
CVE-2021-23362 Vulnerability in npm package hosted-git-info
CVE-2019-16776 Vulnerability in maven package org.webjars:npm
CVE-2021-23358 Vulnerability in maven package org.webjars.bower:underscore
CVE-2018-1000194 Vulnerability in maven package org.jenkins-ci.main:jenkins-core