CVE-2020-11972

Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.

Published: May 14, 2020
Updated: May 9, 2024
CVE: CVE-2020-11972
GHSA: GHSA-2x6r-7427-95cm
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
apache / camel	3.0.0	3.1.0.x
apache / camel	2.22.0	2.25.0.x
oracle / flexcube_private_banking	12.1.0	12.1.0.x
oracle / flexcube_private_banking	12.0.0	12.0.0.x
oracle / enterprise_manager_base_platform	13.3.0.0	13.3.0.0.x
oracle / enterprise_manager_base_platform	13.4.0.0	13.4.0.0.x
oracle / communications_diameter_signaling_router	8.0.0	8.2.2.x
org.apache.camel / camel-rabbitmq	-	2.25.1
org.apache.camel / camel-rabbitmq	3.0.0	3.2.0

Vulnerability Database

289,599

CVE-2020-11972