Description
Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
Remediation
References
http://www.openwall.com/lists/oss-security/2020/05/14/10
http://www.openwall.com/lists/oss-security/2020/05/14/8
https://camel.apache.org/security/CVE-2020-11972.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuoct2020.html
Related Vulnerabilities
CVE-2023-6293 Vulnerability in npm package sequelize-typescript
CVE-2021-32819 Vulnerability in npm package squirrelly
CVE-2021-44228 Vulnerability in maven package org.apache.logging.log4j:log4j-core
CVE-2019-17563 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2019-16571 Vulnerability in maven package org.jenkins-ci.plugins:rapiddeploy-jenkins