CVE-2020-11972

high-risk

Published 2020-05-14

Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.

Do I need to act?

6.9% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (6)

Camel

Communications Diameter Signaling Router

Enterprise Manager Base Platform

Flexcube Private Banking

Affected Vendors

Apache Oracle

References (10)

Mailing List http://www.openwall.com/lists/oss-security/2020/05/14/10

Mailing List http://www.openwall.com/lists/oss-security/2020/05/14/8

Vendor Advisory https://camel.apache.org/security/CVE-2020-11972.html

Third Party Advisory https://www.oracle.com/security-alerts/cpujan2021.html

Third Party Advisory https://www.oracle.com/security-alerts/cpuoct2020.html

Mailing List http://www.openwall.com/lists/oss-security/2020/05/14/10

Mailing List http://www.openwall.com/lists/oss-security/2020/05/14/8

Vendor Advisory https://camel.apache.org/security/CVE-2020-11972.html

Third Party Advisory https://www.oracle.com/security-alerts/cpujan2021.html

Third Party Advisory https://www.oracle.com/security-alerts/cpuoct2020.html

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 9/34 · Low

Exposure 13/34 · Low