Description

Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.

Remediation

References

https://camel.apache.org/security/CVE-2020-11973.html

http://www.openwall.com/lists/oss-security/2020/05/14/9

https://www.oracle.com/security-alerts/cpuoct2020.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com//security-alerts/cpujul2021.html

Related Vulnerabilities

CVE-2018-1999043 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2022-22965 Vulnerability in maven package org.springframework.boot:spring-boot-starter-web

CVE-2020-27782 Vulnerability in maven package io.undertow:undertow-servlet

CVE-2023-48293 Vulnerability in maven package org.xwiki.contrib:xwiki-application-admintools

CVE-2017-1000034 Vulnerability in maven package com.typesafe.akka:akka-actor

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Mailing List Third Party Advisory