This is an automated email from the ASF dual-hosted git repository.
acosentino pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git
The following commit(s) were added to refs/heads/main by this push:
new fa5b5fa2 Release CVE-2024-23114 details (#1143)
fa5b5fa2 is described below
commit fa5b5fa284659f881117f48d247257a76347467c
Author: Andrea Cosentino <anco...@gmail.com>
AuthorDate: Mon Feb 19 10:34:16 2024 +0100
Release CVE-2024-23114 details (#1143)
* Release CVE-2024-23114 details
Signed-off-by: Andrea Cosentino <anco...@gmail.com>
* Update CVE-2024-23114.md
---------
Signed-off-by: Andrea Cosentino <anco...@gmail.com>
---
content/security/CVE-2024-23114.md | 18 ++++++++++++++++++
content/security/CVE-2024-23114.txt.asc | 28 ++++++++++++++++++++++++++++
2 files changed, 46 insertions(+)
diff --git a/content/security/CVE-2024-23114.md
b/content/security/CVE-2024-23114.md
new file mode 100644
index 00000000..dd7cf3d0
--- /dev/null
+++ b/content/security/CVE-2024-23114.md
@@ -0,0 +1,18 @@
+---
+title: "Apache Camel Security Advisory - CVE-2024-23114"
+date: 2024-02-19T09:26:42+02:00
+url: /security/CVE-2024-23114.html
+draft: false
+type: security-advisory
+cve: CVE-2024-23114
+severity: HIGH
+summary: "Apache Camel: Camel-CassandraQL: Unsafe Deserialization from
CassandraAggregationRepository"
+description: "The Camel-CassandraQL AggregationRepository is vulnerable to
unsafe deserialization. Under specific conditions it is possible to deserialize
malicious payload."
+mitigation: "Users are recommended to upgrade to version 4.4.0, which fixes
the issue. If users are on the 4.0.x LTS releases stream, then they are
suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move
to 3.21.4 or 3.22.1"
+credit: "This issue was discovered by Federico Mariani from Apache Software
Foundation and Andrea Cosentino from Apache Software Foundation"
+affected: From 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0
before 4.0.4, from 4.1.0 before 4.4.0.
+fixed: 3.21.4, 3.22.1, 4.0.4 and 4.4.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-20306 refers to
the various commits that resolved the issue, and have more details.
+
diff --git a/content/security/CVE-2024-23114.txt.asc
b/content/security/CVE-2024-23114.txt.asc
new file mode 100644
index 00000000..6e23d6e2
--- /dev/null
+++ b/content/security/CVE-2024-23114.txt.asc
@@ -0,0 +1,28 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+CVE-2024-22369: Apache Camel: Camel-CassandraQL: Unsafe Deserialization from
CassandraAggregationRepository
+
+Severity: HIGH
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from
4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.
+
+Description: The Camel-CassandraQL AggregationRepository is vulnerable to
unsafe deserialization. Under specific conditions it is possible to deserialize
malicious payload.
+
+Mitigation: Users are recommended to upgrade to version 4.4.0, which fixes the
issue. If users are on the 4.0.x LTS releases stream, then they are suggested
to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4
or 3.22.1
+
+Credit: This issue was discovered by Federico Mariani from Apache Software
Foundation and Andrea Cosentino from Apache Software Foundation
+
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCAAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmXPbnQACgkQ406fOAL/
+QQCSVAf/Ry5YkC25Jou7rx0jB8vr6DdAIGzTsukw5pSKlBBTVbYHEwmRMKEHngS5
+E3bcmbQ8M/W9OD74AO/5533w4aIJlXVCKXAAWPfGvPy7+iAPjhJ0bvRhn1YQ4e9j
+kRfTnKyZe/8AfDmzY/+tdqmEhxDpKV7ki2qH2QjK084/TI9aosvujaoAZ/jUBvO7
+rRFJkv/pKdVkQvzdmBUpWV5xOi0peNqMZ+QN6Z4oug8X9vOpjmGW//tmO64dSifV
+mABZ5K77w8YrZDUy9qPGkb1N7sJZvO2Njghco5ejMzwtbPCXBVWIp9iGicg10yEq
+1oUE7Tkvpt+1iUPaYPY7UFP7oU7kMg==
+=DCIE
+-----END PGP SIGNATURE-----
