{ "threat_severity" : "Moderate", "public_date" : "2016-12-07T00:00:00Z", "bugzilla" : { "description" : "camel-jacksonxml: Unmarshalling operation are vulnerable to RCE", "id" : "1420832", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1420832" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-502", "details" : [ "Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.", "It was found that Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. Camel allows such a type through the 'CamelJacksonUnmarshalType' property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues." ], "affected_release" : [ { "product_name" : "Red Hat JBoss A-MQ 6.3", "release_date" : "2017-08-10T00:00:00Z", "advisory" : "RHSA-2017:1832", "cpe" : "cpe:/a:redhat:jboss_amq:6.3" }, { "product_name" : "Red Hat JBoss Fuse 6.3", "release_date" : "2017-08-10T00:00:00Z", "advisory" : "RHSA-2017:1832", "cpe" : "cpe:/a:redhat:jboss_fuse:6.3" } ], "package_state" : [ { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Affected", "package_name" : "camel", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Will not fix", "package_name" : "camel-jackson", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat OpenShift Enterprise 2", "fix_state" : "Under investigation", "package_name" : "camel-jackson", "cpe" : "cpe:/a:redhat:openshift:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-8749\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-8749\nhttp://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc" ], "name" : "CVE-2016-8749", "csaw" : false }