First published: Thu May 14 2020(Updated: )
Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
Credit: security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/camel | <3.2.0 | 3.2.0 |
redhat/camel | <2.25.1 | 2.25.1 |
Apache Camel | >=2.22.0<=2.25.0 | |
Apache Camel | >=3.0.0<=3.1.0 | |
Oracle Communications Diameter Signaling Router | >=8.0.0<=8.5.0 | |
Oracle Enterprise Manager Base Platform | =13.3.0.0 | |
Oracle Enterprise Manager Base Platform | =13.4.0.0 | |
Oracle FLEXCUBE Private Banking | =12.0.0 | |
Oracle FLEXCUBE Private Banking | =12.1.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-11973 is a vulnerability in Apache Camel that allows arbitrary code execution through Java deserialization.
The severity of CVE-2020-11973 is critical, with a severity value of 9.8.
CVE-2020-11973 can lead to a compromise of data confidentiality and integrity.
Versions 2.22.x, 2.23.x, 2.24.x, and 2.25.0 of Apache Camel are affected by CVE-2020-11973.
To fix CVE-2020-11973, upgrade to Apache Camel version 3.2.0 or higher.