| title | url | date | draft | type | cve | severity | summary | description | mitigation | credit | affected | fixed |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Apache Camel Security Advisory - CVE-2015-5348 |
/security/CVE-2015-5348.html |
2016-04-15 04:59:00 -0700 |
false |
security-advisory |
CVE-2015-5348 |
MEDIUM |
Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability. |
Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability |
2.15.x users should upgrade to 2.15.5, 2.16.0 users should upgrade to 2.16.1. |
This issue was discovered by Sim Yih Tsern. |
2.15.0 up to 2.15.4, 2.16.0 |
2.15.5, 2.16.1 and newer |
If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatic de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object.
The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-9309 refers to the various commits that resovoled the issue.