CVE-2020-11972
camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
Apache Camel RabbitMQ permite una deserialización de Java por defecto. Apache Camel versiones 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 hasta 3.1.0 están afectadas. Los usuarios de la versión 2.x deben actualizar a la versión 2.25.1, los usuarios de la versión 3.x deben actualizar a la versión 3.2.0.
A flaw was found in camel up to versions 2.25.1 and 3.x. Apache Camel RabbitMQ enables java deserialization, by default, without any means of disabling which can lead to arbitrary code being executed. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-04-21 CVE Reserved
- 2020-05-14 CVE Published
- 2024-03-18 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2020/05/14/10 | Mailing List |
|
| http://www.openwall.com/lists/oss-security/2020/05/14/8 | Mailing List |
|
| https://www.oracle.com/security-alerts/cpujan2021.html | Third Party Advisory |
|
| https://www.oracle.com/security-alerts/cpuoct2020.html | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://camel.apache.org/security/CVE-2020-11972.html | 2021-03-15 | |
| https://access.redhat.com/security/cve/CVE-2020-11972 | 2020-12-16 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1848464 | 2020-12-16 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Camel Search vendor "Apache" for product "Camel" | >= 2.22.0 <= 2.25.0 Search vendor "Apache" for product "Camel" and version " >= 2.22.0 <= 2.25.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Camel Search vendor "Apache" for product "Camel" | >= 3.0.0 <= 3.1.0 Search vendor "Apache" for product "Camel" and version " >= 3.0.0 <= 3.1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Diameter Signaling Router Search vendor "Oracle" for product "Communications Diameter Signaling Router" | >= 8.0.0 <= 8.2.2 Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version " >= 8.0.0 <= 8.2.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Enterprise Manager Base Platform Search vendor "Oracle" for product "Enterprise Manager Base Platform" | 13.3.0.0 Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.3.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Enterprise Manager Base Platform Search vendor "Oracle" for product "Enterprise Manager Base Platform" | 13.4.0.0 Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.4.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Flexcube Private Banking Search vendor "Oracle" for product "Flexcube Private Banking" | 12.0.0 Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Flexcube Private Banking Search vendor "Oracle" for product "Flexcube Private Banking" | 12.1.0 Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.1.0" | - |
Affected
| ||||||