CVE-2020-11973

Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.

Published: May 14, 2020
Updated: May 9, 2024
CVE: CVE-2020-11973
GHSA: GHSA-h79p-32mx-fjj9
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
apache / camel	3.0.0	3.1.0.x
apache / camel	2.22.0	2.25.0.x
oracle / flexcube_private_banking	12.1.0	12.1.0.x
oracle / flexcube_private_banking	12.0.0	12.0.0.x
oracle / enterprise_manager_base_platform	13.3.0.0	13.3.0.0.x
oracle / enterprise_manager_base_platform	13.4.0.0	13.4.0.0.x
oracle / communications_diameter_signaling_router	8.0.0	8.5.0.x
org.apache.camel / camel-netty	3.0.0	3.2.0

http://www.openwall.com/lists/oss-security/2020/05/14/9
https://camel.apache.org/security/CVE-2020-11973.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuoct2020.html

Vulnerability Database

289,599

CVE-2020-11973