Description
Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
Remediation
References
http://www.openwall.com/lists/oss-security/2020/05/14/9
https://camel.apache.org/security/CVE-2020-11973.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuoct2020.html
Related Vulnerabilities
CVE-2020-2135 Vulnerability in maven package org.jenkins-ci.plugins:script-security
CVE-2021-21266 Vulnerability in maven package org.openhab.addons.bundles:org.openhab.transform.xpath
CVE-2021-37695 Vulnerability in maven package org.webjars.bowergithub.ckeditor:ckeditor4
CVE-2023-37965 Vulnerability in maven package org.jenkins-ci.plugins:elasticbox
CVE-2020-2264 Vulnerability in maven package org.jenkins-ci.plugins:custom-job-icon