CVE-2024-23114

CRITICAL

Apache Camel < 3.21.4 - Insecure Deserialization

Title source: rule

Description

Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1

References (1)

[Vendor Advisory] https://camel.apache.org/security/CVE-2024-23114.html

Scores

CVSS v3 9.8

EPSS 0.0129

EPSS Percentile 79.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (3)

apache/camel < 3.21.4

apache/camel

org.apache.camel/camel-cassandraql < 3.21.4Maven

Timeline

Published Feb 20, 2024

Tracked Since Feb 18, 2026