CVE-2020-11972 — Deserialization of Untrusted Data in Apache Camel

CWE-502 — Deserialization of Untrusted Data7 documents7 sources

Severity

9.8CRITICALNVD

EPSS

6.9%

top 8.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Camel Oracle Communications Diameter Signaling Router Apache Software Foundation Apache Camel +2 more

Timeline

PublishedMay 14

Latest updateMay 21

Description

Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶NVDapache/camel2.22.0 — 2.25.0+1

▶CVEListV5apache_software_foundation/apache_camelApache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0

▶NVDoracle/communications_diameter_signaling_router8.0.0 — 8.2.2

▶NVDoracle/flexcube_private_banking12.0.0, 12.1.0+1

▶NVDoracle/enterprise_manager_base_platform13.3.0.0, 13.4.0.0+1

🔴Vulnerability Details

OSV

Deserialization of Untrusted Data in Apache Camel RabbitMQ↗2021-05-21

▶

GHSA

Deserialization of Untrusted Data in Apache Camel RabbitMQ↗2021-05-21

▶

CVEList

CVE-2020-11972: Apache Camel RabbitMQ enables Java deserialization by default↗2020-05-14

▶

📋Vendor Advisories

Red Hat

camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution↗2020-05-14

▶

Apache

Apache camel: CVE-2020-11972↗

▶

💬Community

Bugzilla

CVE-2020-11972 camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution↗2020-06-18

▶