CVE-2024-23114

CWE-502Deserialization of Untrusted Data6 documents6 sources
Severity
9.8CRITICAL
EPSS
1.0%
top 22.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache CamelApache Camel
Timeline
PublishedFeb 20

Description

Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

Mavenorg.apache.camel:camel-cassandraql3.0.03.21.4+3
NVDapache/camel3.0.03.21.4+3
CVEListV5apache_software_foundation/apache_camel3.0.03.21.4+3

🔴Vulnerability Details

3
CVEList
Apache Camel: Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository2024-02-20
OSV
Deserialization of Untrusted Data in Apache Camel CassandraQL2024-02-20
GHSA
Deserialization of Untrusted Data in Apache Camel CassandraQL2024-02-20

📋Vendor Advisories

2
Red Hat
Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository2024-02-19
Apache
Apache camel: CVE-2024-23114
CVE-2024-23114 (CRITICAL CVSS 9.8) | Deserialization of Untrusted Data v | cvebase.io