Java Object De-Serialization Vulnerability in Apache Camel 2.x by Apache
CVE-2017-12634

9.8CRITICAL

Key Information:

Vendor
Apache
Status
Apache Camel
Vendor
CVE Published:
15 November 2017

Summary

The camel-castor component in Apache Camel versions 2.x prior to 2.19.4 and 2.20.x prior to 2.20.1 is susceptible to a vulnerability that arises from insecure Java object de-serialization. This flaw allows attackers to exploit the application by de-serializing untrusted data, potentially leading to the execution of arbitrary code and significantly compromising the security of the affected systems. Implementing secure coding practices can help mitigate the risk associated with this vulnerability.

Affected Version(s)

Apache Camel 2.19.0 to 2.19.3

Apache Camel 2.20.0

Apache Camel The unsupported Camel 2.x (2.18 and earlier) versions may be also affected.

References

https://access.redhat.com/errata/RHSA-2018:0319
vendor-advisoryx_refsource_REDHAT
http://www.securityfocus.com/bid/101876
vdb-entryx_refsource_BID
https://issues.apache.org/jira/browse/CAMEL-11929
x_refsource_CONFIRM

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.