title: “Apache Camel Security Advisory - CVE-2017-12634” url: /security/CVE-2017-12634.html date: 2017-11-15T10:29:00.257000 draft: false type: security-advisory cve: CVE-2017-12634 severity: MEDIUM summary: “Apache Camel's Castor unmarshalling operation is vulnerable to Remote Code Execution attacks” description: “Apache Camel's camel-castor component is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.” mitigation: “2.19.x users should upgrade to 2.19.4, 2.20.0 users should upgrade to 2.20.1.” credit: “This issue was discovered by Man Yue Mo from Semmle/lgtm.com.” affected: 2.19.0 up to 2.19.3, 2.20.0 fixed: 2.19.4, 2.20.1 and newer

The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-11929 refers to the various commits that resovoled the issue, and have more details.