CVE-2015-5344

Опубликовано: 06 нояб. 2015

Источник: redhat

CVSS3: 4.2

CVSS2: 4.3

EPSS Низкий

Описание

The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.

It was found that Apache Camel's camel-xstream component was vulnerable to Java object deserialization. This vulnerability permits deserialization of data which could lead to information disclosure, code execution, or other possible attacks.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
OpenShift Enterprise 1	camel	Will not fix
Red Hat JBoss BRMS 5	camel	Will not fix
Red Hat JBoss Fuse 6	camel	Affected
Red Hat JBoss Fuse Service Works 6	camel	Affected
Red Hat OpenShift Enterprise 2	camel	Affected
Red Hat JBoss Fuse 6.3		Fixed	RHSA-2016:2035	06.10.2016

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-502

https://bugzilla.redhat.com/show_bug.cgi?id=1303609camel-xstream: Java object de-serialization vulnerability leads to RCE

EPSS

Процентиль: 89%

0.04974

Низкий

4.2 Medium

CVSS3

4.3 Medium

CVSS2

Связанные уязвимости

CVE-2015-5344

CVSS3: 9.8

nvd

около 10 лет назад

The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.

GHSA-gv5f-cjw9-5vxg