CVE-2024-23114

Apache Camel: Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.

Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1

Vulnerabilidad de deserialización de datos no confiables en Apache Camel CassandraQL Component AggregationRepository que es vulnerable a una deserialización insegura. Bajo condiciones específicas, es posible deserializar la carga útil maliciosa. Este problema afecta a Apache Camel: desde 3.0.0 antes de 3.21.4, desde 3.22.0 antes de 3.22.1, desde 4.0.0 antes de 4.0.4, desde 4.1.0 antes de 4.4 .0. Se recomienda a los usuarios actualizar a la versión 4.4.0, que soluciona el problema. Si los usuarios están en el flujo de versiones 4.0.x LTS, se les sugiere actualizar a 4.0.4. Si los usuarios están en 3.x, se les sugiere pasar a 3.21.4 o 3.22.1

*Credits: Federico Mariani From Apache Software Foundation, Andrea Cosentino from Apache Software Foundation

CVSS Scores

CISAv3.1 9.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-01-11 CVE Reserved
2024-02-20 CVE Published
2024-02-21 EPSS Updated
2024-08-28 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-502: Deserialization of Untrusted Data

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://camel.apache.org/security/CVE-2024-23114.html	2024-02-20

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Camel Search vendor "Apache Software Foundation" for product "Apache Camel"				>= 3.0.0 < 3.21.4 Search vendor "Apache Software Foundation" for product "Apache Camel" and version " >= 3.0.0 < 3.21.4"		en		Affected
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Camel Search vendor "Apache Software Foundation" for product "Apache Camel"				>= 3.22.0 < 3.22.1 Search vendor "Apache Software Foundation" for product "Apache Camel" and version " >= 3.22.0 < 3.22.1"		en		Affected
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Camel Search vendor "Apache Software Foundation" for product "Apache Camel"				>= 4.0.0 < 4.0.4 Search vendor "Apache Software Foundation" for product "Apache Camel" and version " >= 4.0.0 < 4.0.4"		en		Affected
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Camel Search vendor "Apache Software Foundation" for product "Apache Camel"				>= 4.1.0 < 4.4.0 Search vendor "Apache Software Foundation" for product "Apache Camel" and version " >= 4.1.0 < 4.4.0"		en		Affected