cbcvebase.
CVE-2016-8749
published 2017-03-28

CVE-2016-8749: Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.

PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
10.60%
95.2th percentile
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.

Affected

17 ranges
VendorProductVersion rangeFixed in
apachecamel
apachecamel
apachecamel
apachecamel
apachecamel
apachecamel
apachecamel
apachecamel
apachecamel
apachecamel
apachecamel
apachecamel
apachecamel
apache_software_foundationapache_camel
apache_software_foundationapache_camel
apache_software_foundationapache_camel
apache_software_foundationapache_camel

Detection & IOCsextracted from sources · hover to see the quote

  • Camel allows deserialization of arbitrary Java objects via the 'CamelJacksonUnmarshalType' property in camel-jackson and camel-jacksonxml components; monitor for untrusted data being passed through this property
  • Affected Apache Camel versions: 2.16.0–2.16.4, 2.17.0–2.17.4, 2.18.0–2.18.1; flag use of these versions with camel-jackson or camel-jacksonxml components
  • ·The vulnerability is exploitable only when the 'CamelJacksonUnmarshalType' property is used to allow arbitrary Java type unmarshalling; review Camel route configurations for use of this property with untrusted input sources
  • ·Both camel-jackson and camel-jacksonxml components are affected; environments using either component for unmarshalling operations should be assessed

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_apache9.8MEDIUM
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.