com.github.taymindis:channeling-camel (>=2.3.1 <=2.3.2), com.github.taymindis:channeling-camel-springboot (>=2.3.1 <=2.3.2) +47 more potentially affected by CVE-2020-11973 via org.apache.camel:camel-netty (>=3.0.0 <=3.22.4)

org.apache.camel:camel-netty MAVEN version =3.0.0, =2.3.1, =2.3.1, =0.46, =0.3, =0.5, =1.3.0, =1.3.0, =1.3.0, =0.1.0, =0.1.0, =0.10.1, =0.10.1, =3.21.0 and more Source cves: CVE-2020-11973 Source advisory: OSV:GHSA-H79P-32MX-FJJ9...

Insecure Deserialization

camel-netty is vulnerable to insecure deserialization. If no codec is specified, it allows objects deserialization using java serialization and deserialization by default rather than restricting only to Strings...

Deserialization of untrusted data

Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0...

CVE-2020-11973

Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0...