---

title: “Apache Camel Security Advisory - CVE-2020-11994” date: 2020-07-08T08:47:42+02:00 url: /security/CVE-2020-11994.html draft: false type: security-advisory cve: CVE-2020-11994 severity: MEDIUM summary: “Server-Side Template Injection and arbitrary file disclosure on Camel templating components” description: “Server-Side Template Injection and arbitrary file disclosure on Camel templating components” mitigation: “2.x users should upgrade to 2.25.2, 3.x users should upgrade to 3.4.0” credit: “This issue was discovered by GHSL team member @pwntester (Alvaro Muñoz)” affected: 2.22.x, 2.23.x, 2.24.x, 2.25.0 and 2.25.1, 3.0.0 up to 3.3.0 fixed: 2.25.2, 3.4.0

The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-15013 and https://issues.apache.org/jira/browse/CAMEL-15050 refers to the various commits that resovoled the issue, and have more details.