Description
Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
Remediation
References
http://www.openwall.com/lists/oss-security/2020/05/14/9
https://camel.apache.org/security/CVE-2020-11973.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuoct2020.html
Related Vulnerabilities
CVE-2021-35513 Vulnerability in maven package org.webjars.bower:mermaid
CVE-2023-27987 Vulnerability in maven package org.apache.linkis:linkis-computation-client
CVE-2019-1003093 Vulnerability in maven package org.jenkins-ci.plugins:nomad
CVE-2021-37695 Vulnerability in maven package org.webjars.bowergithub.ckeditor:ckeditor4