CVE-2020-11973
CRITICAL9.8EPSS 14.1%Apache Camel Netty enables Java deserialization by default
Published: 5/21/2020Modified: 11/8/2023
Description
Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
Affected packages (1)
- Maven/org.apache.camel:camel-netty>= 3.0.0, < 3.2.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-11973
- PATCHhttps://github.com/apache/camel
- WEBhttps://camel.apache.org/security/CVE-2020-11973.html
- WEBhttps://www.oracle.com/security-alerts/cpuApr2021.html
- WEBhttps://www.oracle.com/security-alerts/cpujan2021.html
- WEBhttps://www.oracle.com//security-alerts/cpujul2021.html
- WEBhttps://www.oracle.com/security-alerts/cpuoct2020.html
- WEBhttp://www.openwall.com/lists/oss-security/2020/05/14/9