CVE-2015-5344
camel-xstream: Java object de-serialization vulnerability leads to RCE
Severity Score
9.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.
El componente camel-xstream en Apache Camel en versiones anteriores a 2.15.5 y 2.16.x en versiones anteriores a 2.16.1 permite a atacantes remotos ejecutar comandos arbitrarios a través de un objeto Java serializado manipulado en una petición HTTP.
It was found that Apache Camel's camel-xstream component was vulnerable to Java object deserialization. This vulnerability permits deserialization of data which could lead to information disclosure, code execution, or other possible attacks.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2015-07-01 CVE Reserved
- 2016-02-01 CVE Published
- 2023-05-06 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-19: Data Processing Errors
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (8)
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://camel.apache.org/security-advisories.data/CVE-2015-5344.txt.asc | 2023-11-07 | |
http://rhn.redhat.com/errata/RHSA-2016-2035.html | 2023-11-07 | |
https://access.redhat.com/security/cve/CVE-2015-5344 | 2016-10-06 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1303609 | 2016-10-06 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apache Search vendor "Apache" | Camel Search vendor "Apache" for product "Camel" | <= 2.15.4 Search vendor "Apache" for product "Camel" and version " <= 2.15.4" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Camel Search vendor "Apache" for product "Camel" | 2.16.0 Search vendor "Apache" for product "Camel" and version "2.16.0" | - |
Affected
|