cnvd - cnvd-2024-39157

cnvd-2024-39157

Vulnerability from cnvd

Title: Apache Camel反序列化漏洞

Description:

Apache Camel是美国阿帕奇（Apache）基金会的一套开源的基于Enterprise Integration Pattern(企业整合模式，简称EIP)的集成框架。该框架提供企业集成模式的Java对象（POJO）的实现，且通过应用程序接口来配置路由和中介的规则。

Apache Camel存在反序列化漏洞，该漏洞源于应用程序在接收用户提交的序列化数据的不安全反序列化处理，攻击者可利用该漏洞导致代码执行。

Severity: 高

Patch Name: Apache Camel反序列化漏洞的补丁

Patch Description:

Apache Camel存在反序列化漏洞，该漏洞源于应用程序在接收用户提交的序列化数据的不安全反序列化处理，攻击者可利用该漏洞导致代码执行。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://camel.apache.org/security/CVE-2024-23114.html

Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-23114

Impacted products

Name
Apache Camel

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-23114",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-23114"
    }
  },
  "description": "Apache Camel\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u5f00\u6e90\u7684\u57fa\u4e8eEnterprise Integration Pattern(\u4f01\u4e1a\u6574\u5408\u6a21\u5f0f\uff0c\u7b80\u79f0EIP)\u7684\u96c6\u6210\u6846\u67b6\u3002\u8be5\u6846\u67b6\u63d0\u4f9b\u4f01\u4e1a\u96c6\u6210\u6a21\u5f0f\u7684Java\u5bf9\u8c61\uff08POJO\uff09\u7684\u5b9e\u73b0\uff0c\u4e14\u901a\u8fc7\u5e94\u7528\u7a0b\u5e8f\u63a5\u53e3\u6765\u914d\u7f6e\u8def\u7531\u548c\u4e2d\u4ecb\u7684\u89c4\u5219\u3002\n\nApache Camel\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u7a0b\u5e8f\u5728\u63a5\u6536\u7528\u6237\u63d0\u4ea4\u7684\u5e8f\u5217\u5316\u6570\u636e\u7684\u4e0d\u5b89\u5168\u53cd\u5e8f\u5217\u5316\u5904\u7406\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u4ee3\u7801\u6267\u884c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://camel.apache.org/security/CVE-2024-23114.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-39157",
  "openTime": "2024-09-25",
  "patchDescription": "Apache Camel\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u5f00\u6e90\u7684\u57fa\u4e8eEnterprise Integration Pattern(\u4f01\u4e1a\u6574\u5408\u6a21\u5f0f\uff0c\u7b80\u79f0EIP)\u7684\u96c6\u6210\u6846\u67b6\u3002\u8be5\u6846\u67b6\u63d0\u4f9b\u4f01\u4e1a\u96c6\u6210\u6a21\u5f0f\u7684Java\u5bf9\u8c61\uff08POJO\uff09\u7684\u5b9e\u73b0\uff0c\u4e14\u901a\u8fc7\u5e94\u7528\u7a0b\u5e8f\u63a5\u53e3\u6765\u914d\u7f6e\u8def\u7531\u548c\u4e2d\u4ecb\u7684\u89c4\u5219\u3002\r\n\r\nApache Camel\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u7a0b\u5e8f\u5728\u63a5\u6536\u7528\u6237\u63d0\u4ea4\u7684\u5e8f\u5217\u5316\u6570\u636e\u7684\u4e0d\u5b89\u5168\u53cd\u5e8f\u5217\u5316\u5904\u7406\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u4ee3\u7801\u6267\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Camel\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Camel"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2024-23114",
  "serverity": "\u9ad8",
  "submitTime": "2024-03-14",
  "title": "Apache Camel\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e"
}

CVE-2024-23114 (GCVE-0-2024-23114)

Vulnerability from cvelistv5

Published

2024-02-20 14:59

Modified

2024-08-28 19:49

Severity ?

CWE

CWE-502 - Deserialization of Untrusted Data

Summary

Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1

References

▼	URL	Tags
	https://camel.apache.org/security/CVE-2024-23114.html	vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Camel	Version: 3.0.0 ≤ Version: 3.22.0 ≤ Version: 4.0.0 ≤ Version: 4.1.0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T22:51:11.265Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://camel.apache.org/security/CVE-2024-23114.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "camel",
            "vendor": "apache",
            "versions": [
              {
                "lessThan": "3.21.4",
                "status": "affected",
                "version": "3.0.0",
                "versionType": "custom"
              },
              {
                "lessThan": "3.22.1",
                "status": "affected",
                "version": "3.22.0",
                "versionType": "custom"
              },
              {
                "lessThan": "4.0.4",
                "status": "affected",
                "version": "4.0.0",
                "versionType": "custom"
              },
              {
                "lessThan": "4.4.0",
                "status": "affected",
                "version": "4.1.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-23114",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-28T19:49:44.817314Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-28T19:49:48.296Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Camel",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "3.21.4",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.22.1",
              "status": "affected",
              "version": "3.22.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.0.4",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.4.0",
              "status": "affected",
              "version": "4.1.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Federico Mariani From Apache Software Foundation"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Andrea Cosentino from Apache Software Foundation"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.\u003cp\u003eThis issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 4.4.0, which fixes the issue.\u0026nbsp;If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1\u003c/p\u003e"
            }
          ],
          "value": "Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.\n\nUsers are recommended to upgrade to version 4.4.0, which fixes the issue.\u00a0If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1\n\n"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-20T14:59:38.326Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://camel.apache.org/security/CVE-2024-23114.html"
        }
      ],
      "source": {
        "defect": [
          "CAMEL-20306"
        ],
        "discovery": "INTERNAL"
      },
      "title": "Apache Camel: Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-23114",
    "datePublished": "2024-02-20T14:59:38.326Z",
    "dateReserved": "2024-01-11T17:22:53.091Z",
    "dateUpdated": "2024-08-28T19:49:48.296Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted