PT-2024-3886 · Apache · Apache Camel
Andrea Cosentino
+1
·
Published
2024-02-19
·
Updated
2026-04-27
·
CVE-2024-23114
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Apache Camel versions 3.0.0 through 3.21.3
Apache Camel versions 3.22.0 through 3.22.0
Apache Camel versions 4.0.0 through 4.0.3
Apache Camel versions 4.1.0 through 4.3.x
Description:
The issue is related to the deserialization of untrusted data in the Apache Camel CassandraQL Component AggregationRepository, which is vulnerable to unsafe deserialization. Under specific conditions, it is possible to deserialize a malicious payload, potentially allowing a remote attacker to execute arbitrary code.
Recommendations:
For Apache Camel versions 3.0.0 through 3.21.3, upgrade to version 3.21.4.
For Apache Camel versions 3.22.0, upgrade to version 3.22.1.
For Apache Camel versions 4.0.0 through 4.0.3, upgrade to version 4.0.4.
For Apache Camel versions 4.1.0 through 4.3.x, upgrade to version 4.4.0.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Camel