CVE-2020-11973

CRITICAL

Apache Camel 2.22.0-2.25.0 and 3.0.0-3.1.0 - Deserialization of Untrusted Data via Netty

Title source: llm
STIX 2.1

Description

Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.

References (6)

Core 6
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2020/05/14/9
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2021.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html

Scores

CVSS v3 9.8
EPSS 0.1410
EPSS Percentile 94.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-502
Status published
Products (7)
apache/camel 2.22.0 - 2.25.0
oracle/communications_diameter_signaling_router 8.0.0 - 8.5.0
oracle/enterprise_manager_base_platform 13.3.0.0
oracle/enterprise_manager_base_platform 13.4.0.0
oracle/flexcube_private_banking 12.0.0
oracle/flexcube_private_banking 12.1.0
org.apache.camel/camel-netty 3.0.0 - 3.2.0Maven
Published May 14, 2020
Tracked Since Feb 18, 2026