You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@camel.apache.org by Andrea Cosentino <an...@yahoo.com.INVALID> on 2020/07/08 12:43:29 UTC

[SECURITY] CVE-2020-11994 - Server-Side Template Injection and arbitrary file disclosure on Camel templating components

A new security advisory has been released for Apache Camel, that is fixed in
the recent 2.25.2 and 3.4.0 releases.

CVE-2020-11994: Server-Side Template Injection and arbitrary file disclosure on Camel templating components

Severity: MEDIUM

Vendor: The Apache Software Foundation

Versions Affected: Camel 2.25.0 to 2.25.1, Camel 3.0.0 to 3.3.0. The unsupported Camel 2.x (2.24 and earlier) versions may be also affected.

Description: Server-Side Template Injection and arbitrary file disclosure on Camel templating components

Mitigation: 2.x users should upgrade to 2.25.2, 3.x users should upgrade to 3.4.0 The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-15013 and https://issues.apache.org/jira/browse/CAMEL-15050 refer to the various commits that resolved the issue, and have more details.

Credit: This issue was discovered by GHSL team member @pwntester (Alvaro Muñoz)

On behalf of the Apache Camel PMC

--
Andrea Cosentino 
----------------------------------
Apache Camel PMC Chair
Apache Karaf Committer
Apache Servicemix PMC Member
Email: ancosen1985@yahoo.com
Twitter: @oscerd2
Github: oscerd