Vulnerability Details : CVE-2020-11972
Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
Products affected by CVE-2020-11972
- cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
- Oracle » Communications Diameter Signaling RouterVersions from including (>=) 8.0.0 and up to, including, (<=) 8.2.2cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-11972
0.80%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-11972
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2020-11972
-
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-11972
-
https://www.oracle.com/security-alerts/cpuoct2020.html
Oracle Critical Patch Update Advisory - October 2020Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2020/05/14/10
oss-security - Re: [SECURITY] New security advisory CVE-2020-11972 released for Apache CamelMailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2020/05/14/8
oss-security - [SECURITY] New security advisory CVE-2020-11972 released for Apache CamelMailing List;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2021.html
Oracle Critical Patch Update Advisory - January 2021Third Party Advisory
-
https://camel.apache.org/security/CVE-2020-11972.html
Apache Camel Security Advisory - CVE-2020-11972 - Apache CamelVendor Advisory
Jump to