Description
Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
Remediation
References
https://camel.apache.org/security/CVE-2020-11973.html
http://www.openwall.com/lists/oss-security/2020/05/14/9
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com//security-alerts/cpujul2021.html
Related Vulnerabilities
CVE-2023-29516 Vulnerability in maven package org.xwiki.platform:xwiki-platform-attachment-ui
CVE-2022-31679 Vulnerability in maven package org.springframework.data:spring-data-rest-webmvc
CVE-2019-1003000 Vulnerability in maven package org.jenkins-ci.plugins:script-security
CVE-2016-10027 Vulnerability in maven package org.igniterealtime.smack:smack-tcp