Description

Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/05/14/9

https://camel.apache.org/security/CVE-2020-11973.html

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpuoct2020.html

Related Vulnerabilities

CVE-2020-8237 Vulnerability in maven package org.webjars.npm:json-bigint

CVE-2021-35513 Vulnerability in npm package mermaid

CVE-2023-37965 Vulnerability in maven package org.jenkins-ci.plugins:elasticbox

CVE-2022-45391 Vulnerability in maven package io.jenkins.plugins:cavisson-ns-nd-integration

CVE-2018-18531 Vulnerability in maven package com.github.penggle:kaptcha

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory