CVE-2020-11972
CRITICALApache Camel 2.22.0-2.25.0 and 3.0.0-3.1.0 - Deserialization of Untrusted Data via RabbitMQ Java Deserialization
Title source: llmDescription
Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2020/05/14/8
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2020/05/14/10
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Vendor Advisory x_refsource_misc
https://camel.apache.org/security/CVE-2020-11972.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2021.html
Scores
CVSS v3
9.8
EPSS
0.0692
EPSS Percentile
91.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (7)
apache/camel
2.22.0 - 2.25.0
oracle/communications_diameter_signaling_router
8.0.0 - 8.2.2
oracle/enterprise_manager_base_platform
13.3.0.0
oracle/enterprise_manager_base_platform
13.4.0.0
oracle/flexcube_private_banking
12.0.0
oracle/flexcube_private_banking
12.1.0
org.apache.camel/camel-rabbitmq
0 - 2.25.1Maven
Published
May 14, 2020
Tracked Since
Feb 18, 2026