You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by ac...@apache.org on 2020/07/08 12:33:10 UTC
[camel-website] 01/01: Added CVE-2020-11994
This is an automated email from the ASF dual-hosted git repository.
acosentino pushed a commit to branch CVE-2020-11994
in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit 73ba751193f099ab5dd577b8aff5828119e31353
Author: Andrea Cosentino <an...@gmail.com>
AuthorDate: Wed Jul 8 14:32:09 2020 +0200
Added CVE-2020-11994
---
content/security/CVE-2020-11994.md | 18 ++++++++++++++++++
content/security/CVE-2020-11994.txt.asc | 27 +++++++++++++++++++++++++++
2 files changed, 45 insertions(+)
diff --git a/content/security/CVE-2020-11994.md b/content/security/CVE-2020-11994.md
new file mode 100644
index 0000000..ba2041e
--- /dev/null
+++ b/content/security/CVE-2020-11994.md
@@ -0,0 +1,18 @@
+---
+title: "Apache Camel Security Advisory - CVE-2020-11994"
+date: 2020-07-08T14:47:42+02:00
+url: /security/CVE-2020-11994.html
+draft: false
+type: security-advisory
+cve: CVE-2020-11994
+severity: MEDIUM
+summary: "Server-Side Template Injection and arbitrary file disclosure on Camel templating components"
+description: "Server-Side Template Injection and arbitrary file disclosure on Camel templating components"
+mitigation: "2.x users should upgrade to 2.25.2, 3.x users should upgrade to 3.4.0"
+credit: "This issue was discovered by GHSL team member @pwntester (Alvaro Muñoz)"
+affected: 2.22.x, 2.23.x, 2.24.x, 2.25.0 and 2.25.1, 3.0.0 up to 3.3.0
+fixed: 2.25.2, 3.4.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-15013 and https://issues.apache.org/jira/browse/CAMEL-15050 refers to the various commits that resovoled the issue, and have more details.
+
diff --git a/content/security/CVE-2020-11994.txt.asc b/content/security/CVE-2020-11994.txt.asc
new file mode 100644
index 0000000..b696547
--- /dev/null
+++ b/content/security/CVE-2020-11994.txt.asc
@@ -0,0 +1,27 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+CVE-2020-11994: Server-Side Template Injection and arbitrary file disclosure on Camel templating components
+
+Severity: MEDIUM
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: Camel 2.25.0 to 2.25.1, Camel 3.0.0 to 3.3.0. The unsupported Camel 2.x (2.24 and earlier) versions may be also affected.
+
+Description: Server-Side Template Injection and arbitrary file disclosure on Camel templating components
+
+Mitigation: 2.x users should upgrade to 2.25.2, 3.x users should upgrade to 3.4.0 The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-15013 and https://issues.apache.org/jira/browse/CAMEL-15050 refer to the various commits that resolved the issue, and have more details.
+
+Credit: This issue was discovered by GHSL team member @pwntester (Alvaro Muñoz)
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+iQEcBAEBAgAGBQJfBbyHAAoJEONOnzgC/0EAjFgH/2nKHQgMOtQLVI8T5IMVbCvO
+tLnrBYrLpC/ukVXlSM69YeJ7wOXRR2cb8Zml43sQEmGsEe8cbIYo0Gh9nAKRTU0X
+Ypz/waFZ6EB51PmCRVm1ZLRbe9sbyHEmN/H1TMNymqQIzubaASEf9HtdOKJstqS0
+IRIYdBA7N4W+ixh1NlkBJFzN/Kbnmw20ccnZmF0LCNCDkeMvIFJaXMu1qSBkDKm0
+oFIoTxqucGt7NMCeld4XdLTF6hCHTigRTtNi8PHs0DGkdZEEJye5Ap3URSylycht
+8i9H3B1FNvabdoseybeDc1vkZQOBXUbIMTtukldWnr0NigrnKUQs+iqS1wNrO+M=
+=yx2t
+-----END PGP SIGNATURE-----