cbcvebase.
CVE-2024-23114
published 2024-02-20

CVE-2024-23114: Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.15%
62.8th percentile
Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1

Affected

14 ranges
VendorProductVersion rangeFixed in
apachecamel
apachecamel
apachecamel
apachecamel>= 3.0.0 < 4.14.64.14.6
apachecamel>= 3.0.0 < 3.21.43.21.4
apachecamel>= 4.0.0 < 4.0.44.0.4
apachecamel>= 4.0.0 < 4.14.74.14.7
apachecamel>= 4.1.0 < 4.4.04.4.0
apachecamel>= 4.15.0 < 4.18.14.18.1
apachecamel>= 4.15.0 < 4.18.24.18.2
apache_software_foundationapache_camel>= 3.0.0 < 3.21.43.21.4
apache_software_foundationapache_camel>= 3.22.0 < 3.22.13.22.1
apache_software_foundationapache_camel>= 4.0.0 < 4.0.44.0.4
apache_software_foundationapache_camel>= 4.1.0 < 4.4.04.4.0

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2024-23114 affects the Apache Camel CassandraQL Component AggregationRepository (camel-cassandraql); monitor for unsafe Java deserialization activity originating from this component
  • Flag presence of the org.apache.camel/camel-cassandraql package in affected version ranges (3.0.0–3.21.4, 3.22.0–3.22.1, 4.0.0–4.0.4, 4.1.0–4.4.0) as a high-severity deserialization risk
  • ·Exploitation requires an attacker to be able to write a malicious serialized Java object into the Cassandra-backed AggregationRepository; the vulnerability is only triggerable under specific conditions where Camel reads back that payload
  • ·Multiple Red Hat product packages (camel-cassandraql in Red Hat build of Apache Camel 4 for Quarkus 3, Spring Boot 3, Spring Boot 4, Red Hat Fuse 7, and Red Hat Integration Camel Quarkus 2) are listed as Not Affected

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa7.8HIGH
vendor_apache9.8HIGH
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.