Description

Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/05/14/9

https://camel.apache.org/security/CVE-2020-11973.html

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpuoct2020.html

Related Vulnerabilities

CVE-2017-7525 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2022-21681 Vulnerability in npm package marked

CVE-2020-10968 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2020-27216 Vulnerability in maven package org.mortbay.jetty:jetty

CVE-2021-31597 Vulnerability in npm package xmlhttprequest-ssl

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory