GHSA-26v6-w6fw-rh94

Source

https://github.com/advisories/GHSA-26v6-w6fw-rh94

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-26v6-w6fw-rh94/GHSA-26v6-w6fw-rh94.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-26v6-w6fw-rh94

Aliases

CVE-2015-5348

Published

2018-10-16T23:12:20Z

Modified

2024-12-06T05:25:02.385852Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Apache Camel can allow remote attackers to execute arbitrary commands

Details

Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel routes, allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-06-16T20:51:34Z",
    "cwe_ids": [],
    "severity": "HIGH",
    "github_reviewed": true
}

References

Affected packages

Maven

org.apache.camel:camel-jetty

Package

Name: org.apache.camel:camel-jetty; View open source insights on deps.dev
Purl: pkg:maven/org.apache.camel/camel-jetty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.15.5

Affected versions

1.*

1.2.0

1.3.0

1.4.0

1.5.0

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

2.*

2.0-M1

2.0-M2

2.0-M3

2.0.0

2.1.0

2.2.0

2.3.0

2.4.0

2.5.0

2.6.0

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.9.0-RC1

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.8

2.10.0

2.10.1

2.10.2

2.10.3

2.10.4

2.10.5

2.10.6

2.10.7

2.11.0

2.11.1

2.11.2

2.11.3

2.11.4

2.12.0

2.12.1

2.12.2

2.12.3

2.12.4

2.12.5

2.13.0

2.13.1

2.13.2

2.13.3

2.13.4

2.14.0

2.14.1

2.14.2

2.14.3

2.14.4

2.15.0

2.15.1

2.15.2

2.15.3

2.15.4

org.apache.camel:camel-jetty

Package

Name: org.apache.camel:camel-jetty; View open source insights on deps.dev
Purl: pkg:maven/org.apache.camel/camel-jetty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.16.0

Fixed

2.16.1

Affected versions

2.*

2.16.0

org.apache.camel:camel-servlet

Package

Name: org.apache.camel:camel-servlet; View open source insights on deps.dev
Purl: pkg:maven/org.apache.camel/camel-servlet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.15.5

Affected versions

2.*

2.0-M3

2.0.0

2.1.0

2.2.0

2.3.0

2.4.0

2.5.0

2.6.0

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.9.0-RC1

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.8

2.10.0

2.10.1

2.10.2

2.10.3

2.10.4

2.10.5

2.10.6

2.10.7

2.11.0

2.11.1

2.11.2

2.11.3

2.11.4

2.12.0

2.12.1

2.12.2

2.12.3

2.12.4

2.12.5

2.13.0

2.13.1

2.13.2

2.13.3

2.13.4

2.14.0

2.14.1

2.14.2

2.14.3

2.14.4

2.15.0

2.15.1

2.15.2

2.15.3

2.15.4

org.apache.camel:camel-servlet

Package

Name: org.apache.camel:camel-servlet; View open source insights on deps.dev
Purl: pkg:maven/org.apache.camel/camel-servlet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.16.0

Fixed

2.16.1

Affected versions

2.*

2.16.0

org.apache.camel:camel-http

Package

Name: org.apache.camel:camel-http; View open source insights on deps.dev
Purl: pkg:maven/org.apache.camel/camel-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.15.5

Affected versions

1.*

1.0.0

1.1.0

1.2.0

1.3.0

1.4.0

1.5.0

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

2.*

2.0-M1

2.0-M2

2.0-M3

2.0.0

2.1.0

2.2.0

2.3.0

2.4.0

2.5.0

2.6.0

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.9.0-RC1

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.8

2.10.0

2.10.1

2.10.2

2.10.3

2.10.4

2.10.5

2.10.6

2.10.7

2.11.0

2.11.1

2.11.2

2.11.3

2.11.4

2.12.0

2.12.1

2.12.2

2.12.3

2.12.4

2.12.5

2.13.0

2.13.1

2.13.2

2.13.3

2.13.4

2.14.0

2.14.1

2.14.2

2.14.3

2.14.4

2.15.0

2.15.1

2.15.2

2.15.3

2.15.4

org.apache.camel:camel-http

Package

Name: org.apache.camel:camel-http; View open source insights on deps.dev
Purl: pkg:maven/org.apache.camel/camel-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.16.0

Fixed

2.16.1

Affected versions

2.*

2.16.0

org.apache.camel:camel-http-common

Package

Name: org.apache.camel:camel-http-common; View open source insights on deps.dev
Purl: pkg:maven/org.apache.camel/camel-http-common

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.15.5

org.apache.camel:camel-http-common

Package

Name: org.apache.camel:camel-http-common; View open source insights on deps.dev
Purl: pkg:maven/org.apache.camel/camel-http-common

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.16.0

Fixed

2.16.1

Affected versions

2.*

2.16.0

org.apache.camel:camel-http4

Package

Name: org.apache.camel:camel-http4; View open source insights on deps.dev
Purl: pkg:maven/org.apache.camel/camel-http4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.15.5

Affected versions

2.*

2.3.0

2.4.0

2.5.0

2.6.0

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.9.0-RC1

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.8

2.10.0

2.10.1

2.10.2

2.10.3

2.10.4

2.10.5

2.10.6

2.10.7

2.11.0

2.11.1

2.11.2

2.11.3

2.11.4

2.12.0

2.12.1

2.12.2

2.12.3

2.12.4

2.12.5

2.13.0

2.13.1

2.13.2

2.13.3

2.13.4

2.14.0

2.14.1

2.14.2

2.14.3

2.14.4

2.15.0

2.15.1

2.15.2

2.15.3

2.15.4

org.apache.camel:camel-http4

Package

Name: org.apache.camel:camel-http4; View open source insights on deps.dev
Purl: pkg:maven/org.apache.camel/camel-http4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.16.0

Fixed

2.16.1

Affected versions

2.*

2.16.0

org.apache.camel:camel-ahc

Package

Name: org.apache.camel:camel-ahc; View open source insights on deps.dev
Purl: pkg:maven/org.apache.camel/camel-ahc

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.15.5

Affected versions

2.*

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.9.0-RC1

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.8

2.10.0

2.10.1

2.10.2

2.10.3

2.10.4

2.10.5

2.10.6

2.10.7

2.11.0

2.11.1

2.11.2

2.11.3

2.11.4

2.12.0

2.12.1

2.12.2

2.12.3

2.12.4

2.12.5

2.13.0

2.13.1

2.13.2

2.13.3

2.13.4

2.14.0

2.14.1

2.14.2

2.14.3

2.14.4

2.15.0

2.15.1

2.15.2

2.15.3

2.15.4

org.apache.camel:camel-ahc

Package

Name: org.apache.camel:camel-ahc; View open source insights on deps.dev
Purl: pkg:maven/org.apache.camel/camel-ahc

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.16.0

Fixed

2.16.1

Affected versions

2.*

2.16.0