You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@camel.apache.org by ac...@apache.org on 2020/07/08 12:33:09 UTC

[camel-website] branch CVE-2020-11994 created (now 73ba751)

This is an automated email from the ASF dual-hosted git repository.

acosentino pushed a change to branch CVE-2020-11994
in repository https://gitbox.apache.org/repos/asf/camel-website.git.


      at 73ba751  Added CVE-2020-11994

This branch includes the following new commits:

     new 73ba751  Added CVE-2020-11994

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

[camel-website] 01/01: Added CVE-2020-11994

Posted by ac...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

acosentino pushed a commit to branch CVE-2020-11994
in repository https://gitbox.apache.org/repos/asf/camel-website.git

commit 73ba751193f099ab5dd577b8aff5828119e31353
Author: Andrea Cosentino <an...@gmail.com>
AuthorDate: Wed Jul 8 14:32:09 2020 +0200

    Added CVE-2020-11994
---
 content/security/CVE-2020-11994.md      | 18 ++++++++++++++++++
 content/security/CVE-2020-11994.txt.asc | 27 +++++++++++++++++++++++++++
 2 files changed, 45 insertions(+)

diff --git a/content/security/CVE-2020-11994.md b/content/security/CVE-2020-11994.md
new file mode 100644
index 0000000..ba2041e
--- /dev/null
+++ b/content/security/CVE-2020-11994.md
@@ -0,0 +1,18 @@
+---
+title: "Apache Camel Security Advisory - CVE-2020-11994"
+date: 2020-07-08T14:47:42+02:00
+url: /security/CVE-2020-11994.html
+draft: false
+type: security-advisory
+cve: CVE-2020-11994
+severity: MEDIUM
+summary: "Server-Side Template Injection and arbitrary file disclosure on Camel templating components"
+description: "Server-Side Template Injection and arbitrary file disclosure on Camel templating components"
+mitigation: "2.x users should upgrade to 2.25.2, 3.x users should upgrade to 3.4.0"
+credit: "This issue was discovered by GHSL team member @pwntester (Alvaro Muñoz)"
+affected: 2.22.x, 2.23.x, 2.24.x, 2.25.0 and 2.25.1, 3.0.0 up to 3.3.0
+fixed: 2.25.2, 3.4.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-15013 and https://issues.apache.org/jira/browse/CAMEL-15050 refers to the various commits that resovoled the issue, and have more details.
+
diff --git a/content/security/CVE-2020-11994.txt.asc b/content/security/CVE-2020-11994.txt.asc
new file mode 100644
index 0000000..b696547
--- /dev/null
+++ b/content/security/CVE-2020-11994.txt.asc
@@ -0,0 +1,27 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+CVE-2020-11994: Server-Side Template Injection and arbitrary file disclosure on Camel templating components
+
+Severity: MEDIUM
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: Camel 2.25.0 to 2.25.1, Camel 3.0.0 to 3.3.0. The unsupported Camel 2.x (2.24 and earlier) versions may be also affected.
+
+Description: Server-Side Template Injection and arbitrary file disclosure on Camel templating components
+
+Mitigation: 2.x users should upgrade to 2.25.2, 3.x users should upgrade to 3.4.0 The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-15013 and https://issues.apache.org/jira/browse/CAMEL-15050 refer to the various commits that resolved the issue, and have more details.
+
+Credit: This issue was discovered by GHSL team member @pwntester (Alvaro Muñoz)
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+iQEcBAEBAgAGBQJfBbyHAAoJEONOnzgC/0EAjFgH/2nKHQgMOtQLVI8T5IMVbCvO
+tLnrBYrLpC/ukVXlSM69YeJ7wOXRR2cb8Zml43sQEmGsEe8cbIYo0Gh9nAKRTU0X
+Ypz/waFZ6EB51PmCRVm1ZLRbe9sbyHEmN/H1TMNymqQIzubaASEf9HtdOKJstqS0
+IRIYdBA7N4W+ixh1NlkBJFzN/Kbnmw20ccnZmF0LCNCDkeMvIFJaXMu1qSBkDKm0
+oFIoTxqucGt7NMCeld4XdLTF6hCHTigRTtNi8PHs0DGkdZEEJye5Ap3URSylycht
+8i9H3B1FNvabdoseybeDc1vkZQOBXUbIMTtukldWnr0NigrnKUQs+iqS1wNrO+M=
+=yx2t
+-----END PGP SIGNATURE-----