This is an automated email from the ASF dual-hosted git repository. acosentino pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/camel-website.git
The following commit(s) were added to refs/heads/master by this push: new 5395f5f Added CVE-2020-11994 (#426) 5395f5f is described below commit 5395f5ffeb46219687ba3a76d92aaee08dc86f2f Author: Andrea Cosentino <anco...@gmail.com> AuthorDate: Wed Jul 8 14:33:19 2020 +0200 Added CVE-2020-11994 (#426) --- content/security/CVE-2020-11994.md | 18 ++++++++++++++++++ content/security/CVE-2020-11994.txt.asc | 27 +++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/content/security/CVE-2020-11994.md b/content/security/CVE-2020-11994.md new file mode 100644 index 0000000..ba2041e --- /dev/null +++ b/content/security/CVE-2020-11994.md @@ -0,0 +1,18 @@ +--- +title: "Apache Camel Security Advisory - CVE-2020-11994" +date: 2020-07-08T14:47:42+02:00 +url: /security/CVE-2020-11994.html +draft: false +type: security-advisory +cve: CVE-2020-11994 +severity: MEDIUM +summary: "Server-Side Template Injection and arbitrary file disclosure on Camel templating components" +description: "Server-Side Template Injection and arbitrary file disclosure on Camel templating components" +mitigation: "2.x users should upgrade to 2.25.2, 3.x users should upgrade to 3.4.0" +credit: "This issue was discovered by GHSL team member @pwntester (Alvaro Muñoz)" +affected: 2.22.x, 2.23.x, 2.24.x, 2.25.0 and 2.25.1, 3.0.0 up to 3.3.0 +fixed: 2.25.2, 3.4.0 +--- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-15013 and https://issues.apache.org/jira/browse/CAMEL-15050 refers to the various commits that resovoled the issue, and have more details. + diff --git a/content/security/CVE-2020-11994.txt.asc b/content/security/CVE-2020-11994.txt.asc new file mode 100644 index 0000000..b696547 --- /dev/null +++ b/content/security/CVE-2020-11994.txt.asc @@ -0,0 +1,27 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +CVE-2020-11994: Server-Side Template Injection and arbitrary file disclosure on Camel templating components + +Severity: MEDIUM + +Vendor: The Apache Software Foundation + +Versions Affected: Camel 2.25.0 to 2.25.1, Camel 3.0.0 to 3.3.0. The unsupported Camel 2.x (2.24 and earlier) versions may be also affected. + +Description: Server-Side Template Injection and arbitrary file disclosure on Camel templating components + +Mitigation: 2.x users should upgrade to 2.25.2, 3.x users should upgrade to 3.4.0 The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-15013 and https://issues.apache.org/jira/browse/CAMEL-15050 refer to the various commits that resolved the issue, and have more details. + +Credit: This issue was discovered by GHSL team member @pwntester (Alvaro Muñoz) +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (GNU/Linux) + +iQEcBAEBAgAGBQJfBbyHAAoJEONOnzgC/0EAjFgH/2nKHQgMOtQLVI8T5IMVbCvO +tLnrBYrLpC/ukVXlSM69YeJ7wOXRR2cb8Zml43sQEmGsEe8cbIYo0Gh9nAKRTU0X +Ypz/waFZ6EB51PmCRVm1ZLRbe9sbyHEmN/H1TMNymqQIzubaASEf9HtdOKJstqS0 +IRIYdBA7N4W+ixh1NlkBJFzN/Kbnmw20ccnZmF0LCNCDkeMvIFJaXMu1qSBkDKm0 +oFIoTxqucGt7NMCeld4XdLTF6hCHTigRTtNi8PHs0DGkdZEEJye5Ap3URSylycht +8i9H3B1FNvabdoseybeDc1vkZQOBXUbIMTtukldWnr0NigrnKUQs+iqS1wNrO+M= +=yx2t +-----END PGP SIGNATURE-----