title: “Apache Camel Security Advisory - CVE-2017-3159” url: /security/CVE-2017-3159.html date: 2017-03-07T10:59:00.517000 draft: false type: security-advisory cve: CVE-2017-3159 severity: MEDIUM summary: “Apache Camel's Snakeyaml unmarshalling operation is vulnerable to Remote Code Execution attacks” description: “Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.” mitigation: “2.17.x users should upgrade to 2.17.5, 2.18.x users should upgrade to 2.18.2.” credit: “This issue was discovered by Moritz Bechler from AgNO3 GmbH & Co.” affected: 2.17.0 up to 2.17.4, 2.18.0 up to 2.18.1 fixed: 2.17.5, 2.18.2 and newer

The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-10575 refers to the various commits that resovoled the issue, and have more details.