{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.camel:camel-cassandraql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.21.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.camel:camel-cassandraql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.22.0"
            },
            {
              "fixed": "3.22.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.camel:camel-cassandraql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.camel:camel-cassandraql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0"
            },
            {
              "fixed": "4.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-23114"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-21T00:22:04Z",
    "nvd_published_at": "2024-02-20T15:15:10Z",
    "severity": "HIGH"
  },
  "details": "Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.\n\nUsers are recommended to upgrade to version 4.4.0, which fixes the issue.\u00a0If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1\n\n",
  "id": "GHSA-m43p-55rf-8c2j",
  "modified": "2024-02-22T20:31:17Z",
  "published": "2024-02-20T15:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23114"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel/pull/12759"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel/pull/12760"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel/pull/12761"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel/pull/12762"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel/pull/12790"
    },
    {
      "type": "WEB",
      "url": "https://camel.apache.org/security/CVE-2024-23114.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Croway/potential-cassandra"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/camel"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/CAMEL-20306"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Deserialization of Untrusted Data in Apache Camel CassandraQL"
}

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-23114"
      ],
      "details": "Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.\n\nUsers are recommended to upgrade to version 4.4.0, which fixes the issue.\u00a0If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1\n\n",
      "id": "GSD-2024-23114",
      "modified": "2024-01-12T06:02:17.983704Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2024-23114",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Camel",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "3.0.0",
                          "version_value": "3.21.4"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "3.22.0",
                          "version_value": "3.22.1"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "4.0.0",
                          "version_value": "4.0.4"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "4.1.0",
                          "version_value": "4.4.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credits": [
        {
          "lang": "en",
          "value": "Federico Mariani From Apache Software Foundation"
        },
        {
          "lang": "en",
          "value": "Andrea Cosentino from Apache Software Foundation"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.\n\nUsers are recommended to upgrade to version 4.4.0, which fixes the issue.\u00a0If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-502",
                "lang": "eng",
                "value": "CWE-502 Deserialization of Untrusted Data"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://camel.apache.org/security/CVE-2024-23114.html",
            "refsource": "MISC",
            "url": "https://camel.apache.org/security/CVE-2024-23114.html"
          }
        ]
      },
      "source": {
        "defect": [
          "CAMEL-20306"
        ],
        "discovery": "INTERNAL"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.\n\nUsers are recommended to upgrade to version 4.4.0, which fixes the issue.\u00a0If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1\n\n"
          }
        ],
        "id": "CVE-2024-23114",
        "lastModified": "2024-02-20T19:50:53.960",
        "metrics": {},
        "published": "2024-02-20T15:15:10.333",
        "references": [
          {
            "source": "security@apache.org",
            "url": "https://camel.apache.org/security/CVE-2024-23114.html"
          }
        ],
        "sourceIdentifier": "security@apache.org",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-502"
              }
            ],
            "source": "security@apache.org",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Apache Camel ist ein Integrations-Framework, das Enterprise Integration Patterns implementiert.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apache Camel ausnutzen, um einen nicht n\u00e4her spezifizierten Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- Windows\n- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-0418 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0418.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-0418 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0418"
      },
      {
        "category": "external",
        "summary": "Apache Camel Security Advisory vom 2024-02-18",
        "url": "https://camel.apache.org/security/CVE-2024-22369.htm"
      },
      {
        "category": "external",
        "summary": "Apache Camel Security Advisory vom 2024-02-18",
        "url": "https://camel.apache.org/security/CVE-2024-23114.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Apache Camel: Mehrere Schwachstellen erm\u00f6glichen nicht spezifizierten Angriff",
    "tracking": {
      "current_release_date": "2024-02-18T23:00:00.000+00:00",
      "generator": {
        "date": "2024-02-19T13:05:59.838+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.0"
        }
      },
      "id": "WID-SEC-W-2024-0418",
      "initial_release_date": "2024-02-18T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-02-18T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 3.21.4",
                "product": {
                  "name": "Apache Camel \u003c 3.21.4",
                  "product_id": "T032885",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:camel:3.21.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c 3.22.1",
                "product": {
                  "name": "Apache Camel \u003c 3.22.1",
                  "product_id": "T032886",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:camel:3.22.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c 4.0.4",
                "product": {
                  "name": "Apache Camel \u003c 4.0.4",
                  "product_id": "T032887",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:camel:4.0.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c 4.4.0",
                "product": {
                  "name": "Apache Camel \u003c 4.4.0",
                  "product_id": "T032888",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:camel:4.4.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Camel"
          }
        ],
        "category": "vendor",
        "name": "Apache"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-23114",
      "notes": [
        {
          "category": "description",
          "text": "In Apache Camel existieren mehrere Schwachstellen. Das Camel-SQL AggregationRepository und das Camel-CassandraQL AggregationRepository sind gegen eine unsichere Deserialisierung anf\u00e4llig. Ein Angreifer kann diese Schwachstelle ausnutzen, um b\u00f6sartige Nutzdaten zu deserialisieren."
        }
      ],
      "release_date": "2024-02-18T23:00:00Z",
      "title": "CVE-2024-23114"
    },
    {
      "cve": "CVE-2024-22369",
      "notes": [
        {
          "category": "description",
          "text": "In Apache Camel existieren mehrere Schwachstellen. Das Camel-SQL AggregationRepository und das Camel-CassandraQL AggregationRepository sind gegen eine unsichere Deserialisierung anf\u00e4llig. Ein Angreifer kann diese Schwachstelle ausnutzen, um b\u00f6sartige Nutzdaten zu deserialisieren."
        }
      ],
      "release_date": "2024-02-18T23:00:00Z",
      "title": "CVE-2024-22369"
    }
  ]
}

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat Integration Camel K 1.10.8 release and security update is now available.\n\nRed Hat Product Security has rated this update as having a security impact of\nImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Camel K 1.10.8 is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed.\n\nSecurity Fix(es):\n\n* cxf-core: Apache CXF SSRF Vulnerability using the Aegis databinding (CVE-2024-28752)\n\n* org.apache.avro/avro: Schema parsing may trigger Remote Code Execution (CVE-2024-47561)\n\n* org.apache.camel-camel-cassandraql: : Apache Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository (CVE-2024-23114)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE important page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2024:8339",
        "url": "https://access.redhat.com/errata/RHSA-2024:8339"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2265053",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265053"
      },
      {
        "category": "external",
        "summary": "2270732",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270732"
      },
      {
        "category": "external",
        "summary": "2316116",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316116"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8339.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Integration Camel K 1.10.8 release and security update.",
    "tracking": {
      "current_release_date": "2024-11-06T07:19:22+00:00",
      "generator": {
        "date": "2024-11-06T07:19:22+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.1.1"
        }
      },
      "id": "RHSA-2024:8339",
      "initial_release_date": "2024-10-22T18:29:33+00:00",
      "revision_history": [
        {
          "date": "2024-10-22T18:29:33+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2024-10-22T18:29:33+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-06T07:19:22+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "RHINT Camel-K 1.10.8",
                "product": {
                  "name": "RHINT Camel-K 1.10.8",
                  "product_id": "RHINT Camel-K 1.10.8",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:camel_k:1.10.8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Integration"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-23114",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2024-02-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2265053"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A deserialization of untrusted data flaw was found in the Apache Camel CassandraQL Component AggregationRepository. The affected versions of Apache Camel are vulnerable to unsafe deserialization, where, under specific conditions, it is possible to deserialize a malicious payload.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHINT Camel-K 1.10.8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-23114"
        },
        {
          "category": "external",
          "summary": "RHBZ#2265053",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265053"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-23114",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-23114"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-23114",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23114"
        },
        {
          "category": "external",
          "summary": "https://camel.apache.org/",
          "url": "https://camel.apache.org/"
        },
        {
          "category": "external",
          "summary": "https://issues.apache.org/jira/browse/CAMEL-20306",
          "url": "https://issues.apache.org/jira/browse/CAMEL-20306"
        }
      ],
      "release_date": "2024-02-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-10-22T18:29:33+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHINT Camel-K 1.10.8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:8339"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "RHINT Camel-K 1.10.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository"
    },
    {
      "cve": "CVE-2024-28752",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "discovery_date": "2024-03-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2270732"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A server-side request forgery (SSRF) vulnerability was found in Apache CXF. This issue occurs in attacks on webservices that take at least one parameter of any type, and when Aegisdatabind is used. Users of other data bindings including the default databinding are not impacted.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "cxf-core: Apache CXF SSRF Vulnerability using the Aegis databinding",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat rates this as an Important impact due to the fact this requires Aegis databind, which is not the default databinding for Apache CXF.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHINT Camel-K 1.10.8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-28752"
        },
        {
          "category": "external",
          "summary": "RHBZ#2270732",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270732"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-28752",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-28752"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-28752",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28752"
        },
        {
          "category": "external",
          "summary": "https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt",
          "url": "https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt"
        },
        {
          "category": "external",
          "summary": "https://github.com/advisories/GHSA-qmgx-j96g-4428",
          "url": "https://github.com/advisories/GHSA-qmgx-j96g-4428"
        }
      ],
      "release_date": "2024-03-14T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-10-22T18:29:33+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHINT Camel-K 1.10.8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:8339"
        },
        {
          "category": "workaround",
          "details": "No mitigation is currently available for this vulnerability. Please make sure to update as the fixes become available.",
          "product_ids": [
            "RHINT Camel-K 1.10.8"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "RHINT Camel-K 1.10.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "cxf-core: Apache CXF SSRF Vulnerability using the Aegis databinding"
    },
    {
      "cve": "CVE-2024-47561",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2024-10-02T14:04:06.018000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2316116"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in Apache Avro. The project is affected and at risk if it accepts an org.apache.Avro/avroAvro schema for parsing provided by an end user. This flaw allows an attacker to trigger remote code execution by using the special \"java-class\" attribute.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache-avro: Schema parsing may trigger Remote Code Execution (RCE)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The Red Hat build of Apache Camel K 1.10 was rated Important as it allows users to provide an Avro schema for parsing. Note that this functionality is limited to authenticated users.\n\nRed Hat Single Sign-On 7 ships the affected component in its maven repository but does not use it in the product. As such it is affected but not vulnerable to the flaw, and is assessed at Moderate security impact.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHINT Camel-K 1.10.8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-47561"
        },
        {
          "category": "external",
          "summary": "RHBZ#2316116",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316116"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-47561",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-47561"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47561",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47561"
        }
      ],
      "release_date": "2024-10-03T12:20:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-10-22T18:29:33+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHINT Camel-K 1.10.8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:8339"
        },
        {
          "category": "workaround",
          "details": "1. Avoid parsing user-provided schemas.\n2. Ensure proper input validation and sanitization of schemas before parsing.\n3. Monitor systems for any unusual activities that may indicate exploitation attempts.\n4. Apply the principle of least privilege to minimize the potential impact of successful exploits.",
          "product_ids": [
            "RHINT Camel-K 1.10.8"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "RHINT Camel-K 1.10.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "apache-avro: Schema parsing may trigger Remote Code Execution (RCE)"
    }
  ]
}