CVE-2024-23114
published 2024-02-20CVE-2024-23114: Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.15%
62.8th percentile
Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.
Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | camel | — | — |
| apache | camel | — | — |
| apache | camel | — | — |
| apache | camel | >= 3.0.0 < 4.14.6 | 4.14.6 |
| apache | camel | >= 3.0.0 < 3.21.4 | 3.21.4 |
| apache | camel | >= 4.0.0 < 4.0.4 | 4.0.4 |
| apache | camel | >= 4.0.0 < 4.14.7 | 4.14.7 |
| apache | camel | >= 4.1.0 < 4.4.0 | 4.4.0 |
| apache | camel | >= 4.15.0 < 4.18.1 | 4.18.1 |
| apache | camel | >= 4.15.0 < 4.18.2 | 4.18.2 |
| apache_software_foundation | apache_camel | >= 3.0.0 < 3.21.4 | 3.21.4 |
| apache_software_foundation | apache_camel | >= 3.22.0 < 3.22.1 | 3.22.1 |
| apache_software_foundation | apache_camel | >= 4.0.0 < 4.0.4 | 4.0.4 |
| apache_software_foundation | apache_camel | >= 4.1.0 < 4.4.0 | 4.4.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2024-23114 affects the Apache Camel CassandraQL Component AggregationRepository (camel-cassandraql); monitor for unsafe Java deserialization activity originating from this component ↗
- →Flag presence of the org.apache.camel/camel-cassandraql package in affected version ranges (3.0.0–3.21.4, 3.22.0–3.22.1, 4.0.0–4.0.4, 4.1.0–4.4.0) as a high-severity deserialization risk ↗
- ·Exploitation requires an attacker to be able to write a malicious serialized Java object into the Cassandra-backed AggregationRepository; the vulnerability is only triggerable under specific conditions where Camel reads back that payload ↗
- ·Multiple Red Hat product packages (camel-cassandraql in Red Hat build of Apache Camel 4 for Quarkus 3, Spring Boot 3, Spring Boot 4, Red Hat Fuse 7, and Red Hat Integration Camel Quarkus 2) are listed as Not Affected ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa7.8HIGH
vendor_apache9.8HIGH
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Apache Camel-Infinispan Component Vulnerable to Deserialization of Untrusted Data
ghsa·2026-04-27·CVSS 7.8
CVE-2026-40858 [HIGH] CWE-502 Apache Camel-Infinispan Component Vulnerable to Deserialization of Untrusted Data
Apache Camel-Infinispan Component Vulnerable to Deserialization of Untrusted Data
The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An attacker who can write to the Infinispan cache used by a Camel application can inject a crafted serialized Java object that, when read during normal aggregation repository operations such as get or recover, results in arbitrary code execution in the context of the application.
This issue affects Apache Camel: from 4.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0.
Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases
GHSA
Apache Camel-Consul component vulnerable to Deserialization of Untrusted Data
ghsa·2026-04-27·CVSS 7.8
CVE-2026-27172 [HIGH] CWE-502 Apache Camel-Consul component vulnerable to Deserialization of Untrusted Data
Apache Camel-Consul component vulnerable to Deserialization of Untrusted Data
The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method) read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject() without configuring an ObjectInputFilter. An attacker who can write to the Consul KV store backing a Camel ConsulRegistry instance could inject a malicious serialized Java object that is deserialized the next time Camel performs a lookup against that registry, leading to arbitrary code execution in the Camel process. The issue mirrors the class of vulnerability already addressed for other Camel components in CVE-2024-22369, CVE-2024-23114 and CVE-2026-257
OSV
Deserialization of Untrusted Data in Apache Camel CassandraQL
osv·2024-02-20
CVE-2024-23114 [HIGH] Deserialization of Untrusted Data in Apache Camel CassandraQL
Deserialization of Untrusted Data in Apache Camel CassandraQL
Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.
Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1
GHSA
Deserialization of Untrusted Data in Apache Camel CassandraQL
ghsa·2024-02-20
CVE-2024-23114 [HIGH] CWE-502 Deserialization of Untrusted Data in Apache Camel CassandraQL
Deserialization of Untrusted Data in Apache Camel CassandraQL
Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.
Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1
Red Hat
Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository
vendor_redhat·2024-02-19·CVSS 9.8
CVE-2024-23114 [CRITICAL] CWE-502 Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository
Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository
Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.
Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1
A deserialization of untrusted data flaw was found in the Apache Camel CassandraQL Component AggregationRepository. The a
Apache
Apache camel: CVE-2024-23114
vendor_apache·CVSS 9.8
CVE-2024-23114 [HIGH] Apache camel: CVE-2024-23114
Apache camel: CVE-2024-23114
From 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. 3.21.4, 3.22.1, 4.0.4 and 4.4.0 HIGH Apache Camel: Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository
Severity: high
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-40858 org.apache.camel/camel-infinispan: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data
bugzilla·2026-04-27·CVSS 7.8
CVE-2026-40858 [HIGH] CVE-2026-40858 org.apache.camel/camel-infinispan: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data
CVE-2026-40858 org.apache.camel/camel-infinispan: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data
The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An attacker who can write to the Infinispan cache used by a Camel application can inject a crafted serialized Java object that, when read during normal aggregation repository operations such as get or recover, results in arbitrary code execution in the context of the application.
This issue affects Apache Camel: from 4.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0.
Users are recommended to upgrade to version 4.20.0,
Bugzilla
CVE-2026-27172 org.apache.camel/camel-consul: Apache Camel camel-consul: Arbitrary code execution via deserialization of untrusted data
bugzilla·2026-04-27·CVSS 7.8
CVE-2026-27172 [HIGH] CVE-2026-27172 org.apache.camel/camel-consul: Apache Camel camel-consul: Arbitrary code execution via deserialization of untrusted data
CVE-2026-27172 org.apache.camel/camel-consul: Apache Camel camel-consul: Arbitrary code execution via deserialization of untrusted data
The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method) read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject() without configuring an ObjectInputFilter. An attacker who can write to the Consul KV store backing a Camel ConsulRegistry instance could inject a malicious serialized Java object that is deserialized the next time Camel performs a lookup against that registry, leading to arbitrary code execution in the Camel process. The issue mirrors the class of vulnerability already addressed for other Camel com
Bugzilla
CVE-2026-6857 camel-infinispan: camel-infinispan: Remote Code Execution via Unsafe Deserialization
bugzilla·2026-04-21·CVSS 7.8
CVE-2026-6857 [HIGH] CVE-2026-6857 camel-infinispan: camel-infinispan: Remote Code Execution via Unsafe Deserialization
CVE-2026-6857 camel-infinispan: camel-infinispan: Remote Code Execution via Unsafe Deserialization
Unsafe deserialization in camel-infinispan ProtoStream remote aggregation repository. DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without ObjectInputFilter. Same pattern as CVE-2024-22369, CVE-2024-23114, CVE-2026-25747.
Verified on Camel 4.10.0 + Infinispan 15.1.4. Reported to [email protected] and MITRE CVE Request #2024308.
2024-02-20
Published