CVE-2015-5348

CWE-197 documents7 sources

Severity

8.1HIGH

EPSS

6.8%

top 8.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

1

Timeline

PublishedApr 15

Latest updateOct 16

Description

Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel routes, allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages7 packages

▶Mavenorg.apache.camel:camel-http2.16.0 — 2.16.1+1

▶Mavenorg.apache.camel:camel-http42.16.0 — 2.16.1+1

▶Mavenorg.apache.camel:camel-jetty2.16.0 — 2.16.1+1

▶Mavenorg.apache.camel:camel-servlet2.16.0 — 2.16.1+1

▶Mavenorg.apache.camel:camel-http-common2.16.0 — 2.16.1+1

🔴Vulnerability Details

3

OSV

Apache Camel can allow remote attackers to execute arbitrary commands↗2018-10-16

▶

GHSA

Apache Camel can allow remote attackers to execute arbitrary commands↗2018-10-16

▶

CVEList

CVE-2015-5348: Apache Camel 2↗2016-04-15

▶

📋Vendor Advisories

2

Red Hat

Camel: Java object deserialisation in Jetty/Servlet↗2015-12-17

▶

Apache

Apache camel: CVE-2015-5348↗

▶

💬Community

1

Bugzilla

CVE-2015-5348 Camel: Java object deserialisation in Jetty/Servlet↗2015-12-18

▶

CVE-2015-5348 (HIGH CVSS 8.1) | Apache Camel 2.6.x through 2.14.x | cvebase.io