A new security advisory has been released for Apache Camel, that is fixed in the recent 2.25.2 and 3.4.0 releases.
CVE-2020-11994: Server-Side Template Injection and arbitrary file disclosure on Camel templating components Severity: MEDIUM Vendor: The Apache Software Foundation Versions Affected: Camel 2.25.0 to 2.25.1, Camel 3.0.0 to 3.3.0. The unsupported Camel 2.x (2.24 and earlier) versions may be also affected. Description: Server-Side Template Injection and arbitrary file disclosure on Camel templating components Mitigation: 2.x users should upgrade to 2.25.2, 3.x users should upgrade to 3.4.0 The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-15013 and https://issues.apache.org/jira/browse/CAMEL-15050 refer to the various commits that resolved the issue, and have more details. Credit: This issue was discovered by GHSL team member @pwntester (Alvaro Muñoz) On behalf of the Apache Camel PMC -- Andrea Cosentino ---------------------------------- Apache Camel PMC Chair Apache Karaf Committer Apache Servicemix PMC Member Email: ancosen1...@yahoo.com Twitter: @oscerd2 Github: oscerd
