CVE-2020-11972

CRITICAL9.8EPSS 6.9%

Deserialization of Untrusted Data in Apache Camel RabbitMQ

Published: 5/21/2021Modified: 11/8/2023

Description

Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.

Affected packages (1)

Maven/org.apache.camel:camel-rabbitmqfrom 0, < 2.25.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-11972
WEBhttps://camel.apache.org/security/CVE-2020-11972.html
WEBhttps://www.oracle.com/security-alerts/cpujan2021.html
WEBhttps://www.oracle.com/security-alerts/cpuoct2020.html
WEBhttp://www.openwall.com/lists/oss-security/2020/05/14/10
WEBhttp://www.openwall.com/lists/oss-security/2020/05/14/8