Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apache Camel JDBCAggregationRepository反序列化漏洞 #381

Open
y1ong opened this issue Feb 20, 2024 · 0 comments
Open

Apache Camel JDBCAggregationRepository反序列化漏洞 #381

y1ong opened this issue Feb 20, 2024 · 0 comments
Labels

Comments

@y1ong
Copy link
Owner

y1ong commented Feb 20, 2024

漏洞描述

Apache Camel 是开源的系统间数据交互集成框架。
在受影响版本中,由于对JDBCAggregationRepository中exchange的实现存在未限制的反序列化逻辑,当攻击者可控制数据库中exchange字段值时,可以反序列化任意类,造成任意代码执行。
在修复版本中,通过校验逻辑限制其仅允许反序列化java及camel自身类。

参考链接

  1. https://www.oscs1024.com/hd/MPS-03tm-wyhp
  2. https://issues.apache.org/jira/browse/CAMEL-20303
  3. https://www.cve.org/CVERecord?id=CVE-2024-22369
  4. https://lists.apache.org/thread/3dko781dy2gy5l3fs48p56fgp429yb0f
@y1ong y1ong added the vuln label Feb 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant