CVE-2020-11973 – org.apache.camel:camel-netty

Package

Manager: maven
Name: org.apache.camel:camel-netty
Vulnerable Version: >=3.0.0 <3.2.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.09483 pctl0.92521

Details

Apache Camel Netty enables Java deserialization by default Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.

Metadata

Created: 2020-05-21T21:09:04Z
Modified: 2022-10-06T18:15:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-h79p-32mx-fjj9/GHSA-h79p-32mx-fjj9.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-h79p-32mx-fjj9
Finding: F096
Auto approve: 1