Apache Camel can allow remote attackers to execute arbitrary commands · CVE-2015-5348 · GitHub Advisory Database · GitHub

Apache Camel can allow remote attackers to execute arbitrary commands

High severity GitHub Reviewed Published Oct 16, 2018 to the GitHub Advisory Database • Updated Dec 19, 2023

Package

org.apache.camel:camel-ahc (Maven)

Affected versions

< 2.15.5

= 2.16.0

Patched versions

2.15.5

2.16.1

org.apache.camel:camel-http (Maven)

< 2.15.5

= 2.16.0

2.15.5

2.16.1

org.apache.camel:camel-http-common (Maven)

< 2.15.5

= 2.16.0

2.15.5

2.16.1

org.apache.camel:camel-http4 (Maven)

< 2.15.5

= 2.16.0

2.15.5

2.16.1

org.apache.camel:camel-jetty (Maven)

< 2.15.5

= 2.16.0

2.15.5

2.16.1

org.apache.camel:camel-servlet (Maven)

< 2.15.5

= 2.16.0

2.15.5

2.16.1

Description

Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel routes, allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.

References

Published to the GitHub Advisory Database Oct 16, 2018

Reviewed Jun 16, 2020

Last updated Dec 19, 2023

Severity

High

8.1

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H