org.apache.camel:camel-atmosphere-websocket (=2.16.0), org.apache.camel:camel-example-cxf-tomcat (=2.16.0) +8 more potentially affected by CVE-2015-5348 via org.apache.camel:camel-servlet (=2.16.0)

org.apache.camel:camel-servlet MAVEN version =2.16.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.camel:camel-servlet and may be impacted: - org.apache.camel:camel-atmosphere-websocket =2.16.0 - org.apache.camel:camel-example-cxf-tomcat...

de.wayofquality.blended:blended-camel-utils (>=1.1.2 <=1.1.4), de.wayofquality.blended:blended-karaf-features (>=1.1.2 <=1.1.4) +45 more potentially affected by CVE-2015-5348 via org.apache.camel:camel-servlet (>=2.10.0 <=2.15.4)

org.apache.camel:camel-servlet MAVEN version =2.10.0, =1.1.2, =1.1.2, =0.0.4, =0.0.4, =0.0.3, =0.0.3, =0.0.4, =0.0.3, =0.0.4, =0.0.5 and more Source cves: CVE-2015-5348 Source advisory: OSV:GHSA-26V6-W6FW-RH94...

GHSA-26V6-W6FW-RH94 Apache Camel can allow remote attackers to execute arbitrary commands

Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using 1 camel-jetty or 2 camel-servlet as a consumer in Camel routes, allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request...

Camel: Java object deserialisation in Jetty/Servlet

It was found that Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability. If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatically de-serialize HTTP requests that uses the content-header:...

Apache Camel Java Object Deserialization Vulnerability

Apache Camel is based on the known enterprise-class integration model on the open source integration framework . Camel router , if camel-jetty or camel-servlet used as a consumer , Camel will automatically deserialize HTTP requests using content-header: application/x-java-serialized-object , remo...