Описание
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
It was found that Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. Camel allows such a type through the 'CamelJacksonUnmarshalType' property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss Fuse 6 | camel | Affected | ||
| Red Hat JBoss Fuse Service Works 6 | camel-jackson | Will not fix | ||
| Red Hat OpenShift Enterprise 2 | camel-jackson | Under investigation | ||
| Red Hat JBoss A-MQ 6.3 | Fixed | RHSA-2017:1832 | 10.08.2017 | |
| Red Hat JBoss Fuse 6.3 | Fixed | RHSA-2017:1832 | 10.08.2017 |
Показывать по
10
Дополнительная информация
Статус:
Moderate
Дефект:
CWE-502
https://bugzilla.redhat.com/show_bug.cgi?id=1420832camel-jacksonxml: Unmarshalling operation are vulnerable to RCE
EPSS
Процентиль: 90%
0.05584
Низкий
8.1 High
CVSS3
Связанные уязвимости
CVSS3: 9.8
nvd
почти 9 лет назад
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
CVSS3: 9.8
github
больше 7 лет назад
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks
EPSS
Процентиль: 90%
0.05584
Низкий
8.1 High
CVSS3