Description

Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/05/14/10

http://www.openwall.com/lists/oss-security/2020/05/14/8

https://camel.apache.org/security/CVE-2020-11972.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpuoct2020.html

Related Vulnerabilities

CVE-2020-2300 Vulnerability in maven package org.jenkins-ci.plugins:active-directory

CVE-2020-2257 Vulnerability in maven package org.jenkins-ci.plugins:validating-string-parameter

CVE-2021-21384 Vulnerability in npm package shescape

CVE-2022-38750 Vulnerability in maven package org.yaml:snakeyaml

CVE-2023-50769 Vulnerability in maven package org.sonatype.nexus.ci:nexus-jenkins-plugin

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory