CVE-2020-11973
CRITICAL9.8EPSS 14.1%Apache Camel Netty enables Java deserialization by default
發布日:2020/5/21修改日:2023/11/8
描述
Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
受影響套件(1)
- Maven/org.apache.camel:camel-netty>= 3.0.0, < 3.2.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-11973
- PATCHhttps://github.com/apache/camel
- WEBhttps://camel.apache.org/security/CVE-2020-11973.html
- WEBhttps://www.oracle.com/security-alerts/cpuApr2021.html
- WEBhttps://www.oracle.com/security-alerts/cpujan2021.html
- WEBhttps://www.oracle.com//security-alerts/cpujul2021.html
- WEBhttps://www.oracle.com/security-alerts/cpuoct2020.html
- WEBhttp://www.openwall.com/lists/oss-security/2020/05/14/9