{"api_version":"1","generated_at":"2026-04-23T10:27:35+00:00","cve":"CVE-2020-11972","urls":{"html":"https://cve.report/CVE-2020-11972","api":"https://cve.report/api/cve/CVE-2020-11972.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-11972","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-11972"},"summary":{"title":"CVE-2020-11972","description":"Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2020-05-14 17:15:00","updated_at":"2021-03-15 22:15:00"},"problem_types":["CWE-502"],"metrics":[],"references":[{"url":"https://camel.apache.org/security/CVE-2020-11972.html","name":"https://camel.apache.org/security/CVE-2020-11972.html","refsource":"MISC","tags":["Vendor Advisory"],"title":"Apache Camel Security Advisory - CVE-2020-11972 - Apache Camel","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.oracle.com/security-alerts/cpuoct2020.html","name":"https://www.oracle.com/security-alerts/cpuoct2020.html","refsource":"MISC","tags":["Third Party Advisory"],"title":"Oracle Critical Patch Update Advisory - October 2020","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2020/05/14/8","name":"[oss-security] 20200514 [SECURITY] New security advisory CVE-2020-11972 released for Apache Camel","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - [SECURITY] New security advisory CVE-2020-11972 released for Apache\n Camel","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2020/05/14/10","name":"[oss-security] 20200514 Re: [SECURITY] New security advisory CVE-2020-11972 released for Apache Camel","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: [SECURITY] New security advisory CVE-2020-11972 released for\n Apache Camel","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/security-alerts/cpujan2021.html","name":"https://www.oracle.com/security-alerts/cpujan2021.html","refsource":"MISC","tags":["Third Party Advisory"],"title":"Oracle Critical Patch Update Advisory - January 2021","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-11972","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11972","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"11972","vulnerable":"1","versionEndIncluding":"2.25.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"camel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"11972","vulnerable":"1","versionEndIncluding":"3.1.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"camel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"11972","vulnerable":"1","versionEndIncluding":"8.2.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"communications_diameter_signaling_router","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"11972","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"enterprise_manager_base_platform","cpe6":"13.3.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"11972","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"enterprise_manager_base_platform","cpe6":"13.4.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"11972","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"enterprise_manager_base_platform","cpe6":"13.3.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"11972","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"enterprise_manager_base_platform","cpe6":"13.4.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"11972","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"flexcube_private_banking","cpe6":"12.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"11972","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"flexcube_private_banking","cpe6":"12.1.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"11972","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"flexcube_private_banking","cpe6":"12.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"11972","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"flexcube_private_banking","cpe6":"12.1.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-11972","qid":"982411","title":"Java (maven) Security Update for org.apache.camel:camel-rabbitmq (GHSA-2x6r-7427-95cm)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2020-11972","ASSIGNER":"security@apache.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"Apache Camel","version":{"version_data":[{"version_value":"Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Java deserialization"}]}]},"references":{"reference_data":[{"refsource":"MLIST","name":"[oss-security] 20200514 [SECURITY] New security advisory CVE-2020-11972 released for Apache Camel","url":"http://www.openwall.com/lists/oss-security/2020/05/14/8"},{"refsource":"MLIST","name":"[oss-security] 20200514 Re: [SECURITY] New security advisory CVE-2020-11972 released for Apache Camel","url":"http://www.openwall.com/lists/oss-security/2020/05/14/10"},{"url":"https://www.oracle.com/security-alerts/cpuoct2020.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"refsource":"MISC","name":"https://camel.apache.org/security/CVE-2020-11972.html","url":"https://camel.apache.org/security/CVE-2020-11972.html"},{"url":"https://www.oracle.com/security-alerts/cpujan2021.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujan2021.html"}]},"description":{"description_data":[{"lang":"eng","value":"Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0."}]}},"nvd":{"publishedDate":"2020-05-14 17:15:00","lastModifiedDate":"2021-03-15 22:15:00","problem_types":["CWE-502"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndIncluding":"3.1.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.22.0","versionEndIncluding":"2.25.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*","versionStartIncluding":"8.0.0","versionEndIncluding":"8.2.2","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"11972","Ordinal":"173110","Title":"CVE-2020-11972","CVE":"CVE-2020-11972","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"11972","Ordinal":"1","NoteData":"Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"11972","Ordinal":"2","NoteData":"2020-05-14","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"11972","Ordinal":"3","NoteData":"2021-01-20","Type":"Other","Title":"Modified"}]}}}