GHSA-26V6-W6FW-RH94 Apache Camel can allow remote attackers to execute arbitrary commands

Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using 1 camel-jetty or 2 camel-servlet as a consumer in Camel routes, allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request...

com.data-artisans:flakka-sample-camel-java_2.10 (=2.3-custom), com.data-artisans:flakka-sample-camel-java_2.11 (=2.3-custom) +36 more potentially affected by CVE-2015-5348 via org.apache.camel:camel-jetty (>=1.3.0 <=2.15.2)

org.apache.camel:camel-jetty MAVEN version =1.3.0, =1.0, =2.3.7, =1.0, =2.3.7, =2.1.0, =2.1.0-RC4, =2.1.4, =2.2.0-RC2 and more Source cves: CVE-2015-5348 Source advisory: OSV:GHSA-26V6-W6FW-RH94...

Camel: Java object deserialisation in Jetty/Servlet

It was found that Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability. If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatically de-serialize HTTP requests that uses the content-header:...

Apache Camel Java Object Deserialization Vulnerability

Apache Camel is based on the known enterprise-class integration model on the open source integration framework . Camel router , if camel-jetty or camel-servlet used as a consumer , Camel will automatically deserialize HTTP requests using content-header: application/x-java-serialized-object , remo...