Published: 15/04/2016 Updated: 07/11/2023

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.1 | Impact Score: 5.9 | Exploitability Score: 2.2

VMScore: 607

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Apache Camel 2.6.x up to and including 2.14.x, 2.15.x prior to 2.15.5, and 2.16.x prior to 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel routes, allow remote malicious users to execute arbitrary commands via a crafted serialized Java object in an HTTP request.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache camel 2.15.0
apache camel 2.13.4
apache camel 2.9.8
apache camel 2.9.4
apache camel 2.15.3
apache camel 2.15.4
apache camel 2.13.0
apache camel 2.7.1
apache camel 2.15.2
apache camel 2.10.6
apache camel 2.12.3
apache camel 2.9.6
apache camel 2.7.2
apache camel 2.8.6
apache camel 2.12.1
apache camel 2.13.3
apache camel 2.10.0
apache camel 2.11.0
apache camel 2.9.0
apache camel 2.7.5
apache camel 2.8.3
apache camel 2.10.7
apache camel 2.16.0
apache camel 2.12.5
apache camel 2.9.1
apache camel 2.8.0
apache camel 2.14.0
apache camel 2.11.4
apache camel 2.14.2
apache camel 2.9.5
apache camel 2.10.4
apache camel 2.11.2
apache camel 2.10.1
apache camel 2.14.3
apache camel 2.12.0
apache camel 2.14.4
apache camel 2.8.4
apache camel 2.9.2
apache camel 2.10.3
apache camel 2.7.0
apache camel 2.8.1
apache camel 2.12.4
apache camel 2.7.4
apache camel 2.10.5
apache camel 2.12.2
apache camel 2.13.1
apache camel 2.15.1
apache camel 2.11.1
apache camel 2.13.2
apache camel 2.11.3
apache camel 2.7.3
apache camel 2.9.3
apache camel 2.14.1
apache camel 2.6.0
apache camel 2.9.7
apache camel 2.8.5
apache camel 2.10.2
apache camel 2.8.2

It was found that Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatically de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object ...

CWE-19 http://packetstormsecurity.com/files/134946/Apache-Camel-Java-Object-Deserialization.html http://camel.apache.org/security-advisories.data/CVE-2015-5348.txt.asc https://issues.apache.org/jira/browse/CAMEL-9309 http://www.securityfocus.com/bid/80696 http://rhn.redhat.com/errata/RHSA-2016-2035.html http://www.securityfocus.com/archive/1/537147/100/0/threaded https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2015-5348

CVE-2015-5348

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect