Java Object De-Serialization Vulnerability in Apache Camel's Component
CVE-2017-3159

9.8CRITICAL

Key Information:

Vendor
Apache
Status
Apache Camel
Vendor
CVE Published:
7 March 2017

Summary

The camel-snakeyaml component of Apache Camel is susceptible to a security flaw that arises from improper handling of Java object de-serialization. When untrusted data is de-serialized, it may allow attackers to execute arbitrary code, leading to severe security implications. This issue emphasizes the importance of safely managing untrusted input to prevent potential threats and exploits.

Affected Version(s)

Apache Camel 2.17.0 to 2.17.4

Apache Camel 2.18.0 to 2.18.1

Apache Camel The unsupported Camel 2.x (2.14 and earlier) versions may be also affected.

References

https://access.redhat.com/errata/RHSA-2017:0868
vendor-advisoryx_refsource_REDHAT
https://www.github.com/mbechler/marshalsec/blob/master/ma...
x_refsource_MISC
http://www.securityfocus.com/bid/96321
vdb-entryx_refsource_BID

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.