{
  "threat_severity" : "Important",
  "public_date" : "2020-05-14T00:00:00Z",
  "bugzilla" : {
    "description" : "camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution",
    "id" : "1848464",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1848464"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-502",
  "details" : [ "Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.", "A flaw was found in camel up to versions 2.25.1 and 3.x. Apache Camel RabbitMQ enables java deserialization, by default, without any means of disabling which can lead to arbitrary code being executed. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Fuse 7.8.0",
    "release_date" : "2020-12-16T00:00:00Z",
    "advisory" : "RHSA-2020:5568",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "camel-rabbitmq"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat JBoss Data Grid 7",
    "fix_state" : "Not affected",
    "package_name" : "camel-rabbitmq",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:7"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Affected",
    "package_name" : "camel-rabbitmq",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-11972\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-11972" ],
  "name" : "CVE-2020-11972",
  "csaw" : false
}