| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA1 |
| |
| CVE-2020-11994: Server-Side Template Injection and arbitrary file disclosure on Camel templating components |
| |
| Severity: MEDIUM |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: Camel 2.25.0 to 2.25.1, Camel 3.0.0 to 3.3.0. The unsupported Camel 2.x (2.24 and earlier) versions may be also affected. |
| |
| Description: Server-Side Template Injection and arbitrary file disclosure on Camel templating components |
| |
| Mitigation: 2.x users should upgrade to 2.25.2, 3.x users should upgrade to 3.4.0 The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-15013 and https://issues.apache.org/jira/browse/CAMEL-15050 refer to the various commits that resolved the issue, and have more details. |
| |
| Credit: This issue was discovered by GHSL team member @pwntester (Alvaro Muñoz) |
| -----BEGIN PGP SIGNATURE----- |
| Version: GnuPG v2.0.22 (GNU/Linux) |
| |
| iQEcBAEBAgAGBQJfBbyHAAoJEONOnzgC/0EAjFgH/2nKHQgMOtQLVI8T5IMVbCvO |
| tLnrBYrLpC/ukVXlSM69YeJ7wOXRR2cb8Zml43sQEmGsEe8cbIYo0Gh9nAKRTU0X |
| Ypz/waFZ6EB51PmCRVm1ZLRbe9sbyHEmN/H1TMNymqQIzubaASEf9HtdOKJstqS0 |
| IRIYdBA7N4W+ixh1NlkBJFzN/Kbnmw20ccnZmF0LCNCDkeMvIFJaXMu1qSBkDKm0 |
| oFIoTxqucGt7NMCeld4XdLTF6hCHTigRTtNi8PHs0DGkdZEEJye5Ap3URSylycht |
| 8i9H3B1FNvabdoseybeDc1vkZQOBXUbIMTtukldWnr0NigrnKUQs+iqS1wNrO+M= |
| =yx2t |
| -----END PGP SIGNATURE----- |