CVE-2020-11973

CWE-502 — Deserialization of Untrusted Data9 documents8 sources

Severity

9.8CRITICAL

EPSS

6.9%

top 8.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Camel Oracle Communications Diameter Signaling Router Oracle Enterprise Manager Base Platform +1 more

Timeline

PublishedMay 14

Latest updateJan 15

Description

Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages6 packages

▶Mavenorg.apache.camel:camel-netty3.0.0 — 3.2.0

▶NVDapache/camel2.22.0 — 2.25.0+1

▶CVEListV5apache_camelApache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0

▶NVDoracle/communications_diameter_signaling_router8.0.0 — 8.5.0

▶NVDoracle/flexcube_private_banking12.0.0, 12.1.0+1

🔴Vulnerability Details

OSV

Apache Camel Netty enables Java deserialization by default↗2020-05-21

▶

GHSA

Apache Camel Netty enables Java deserialization by default↗2020-05-21

▶

CVEList

CVE-2020-11973: Apache Camel Netty enables Java deserialization by default↗2020-05-14

▶

📋Vendor Advisories

Oracle

Oracle Oracle Enterprise Manager Risk Matrix: Reporting Framework (Apache Camel) — CVE-2020-11973↗2021-01-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: IDIH (Apache Camel) — CVE-2020-11973↗2020-10-15

▶

Red Hat

camel: Netty enables Java deserialization by default which could leed to remote code execution↗2020-05-14

▶

Apache

Apache camel: CVE-2020-11973↗

▶

💬Community

Bugzilla

CVE-2020-11973 camel: Netty enables Java deserialization by default which could leed to remote code execution↗2020-06-18

▶