Vulnerability Name: CVE-2020-11971 (CCN-181961) Assigned: 2020-05-14 Published: 2020-05-14 Updated: 2022-05-12 Summary: Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 is affected. Users should upgrade to 3.2.0. CVSS v3 Severity: 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): NoneAvailibility (A): None
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): NoneAvailibility (A): None
CVSS v2 Severity: 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): CompleteIntegrity (I): NoneAvailibility (A): None
Vulnerability Type: CWE-noinfo Vulnerability Consequences: Obtain Information References: Source: MITRECVE-2020-11971 [oss-security] 20200514 [SECURITY] New security advisory CVE-2020-11971 released for Apache Camel Apache Camel https://camel.apache.org/security/CVE-2020-11971.html apache-cve202011971-info-disc(181961) [camel-commits] 20200522 [camel-website] branch CVE-2020-11971-amend created (now 2a753f7) [camel-commits] 20200522 [camel-website] 02/02: CVE-2020-11971 - Amended fix version [activemq-issues] 20200601 [jira] [Created] (AMQ-7492) CVE-2020-11971 needs AMQ to upgrade to Apache Camel 3.2.0 [activemq-users] 20210831 RE: Security issues [camel-commits] 20200522 [camel-website] 01/02: CVE-2020-11971 - Amend the fix version [activemq-issues] 20200622 [jira] [Assigned] (AMQ-7492) CVE-2020-11971 needs AMQ to upgrade to Apache Camel 3.2.0 [activemq-issues] 20201122 [jira] [Commented] (AMQ-7492) CVE-2020-11971 needs AMQ to upgrade to Apache Camel 3.2.0 [activemq-users] 20210830 Security issues [activemq-issues] 20200622 [jira] [Commented] (AMQ-7492) CVE-2020-11971 needs AMQ to upgrade to Apache Camel 3.2.0 [activemq-issues] 20201122 [jira] [Updated] (AMQ-7492) CVE-2020-11971 needs AMQ to upgrade to Apache Camel 2.25.2 [SECURITY] New security advisory CVE-2020-11971 released for Apache Camel IBM Jazz for Service Management is vulnerable to Apache Camel Core vulnerabilities Multiple vulnerabilities have been identified in Apache Camel shipped with IBM Netcool/OMNIbus Probe DSL Factory Framework Vulnerabilities in Apache Camel's JMX, Apache Camel RabbitMQ and Apache Camel Netty affects IBM Operations Analytics Predictive Insights (CVE-2020-11971, CVE-2020-11972, CVE-2020-11973) IBM Data Risk Manager is affected by multiple vulnerabilities Apache Camel Core vulnerability in IBM Tivoli Monitoring Data Provider (CVE-2020-11971) A security vulnerability has been identified in Apache Camel shipped with IBM Tivoli Netcool Impact (CVE-2020-11971) IBM QRadar SIEM includes components with known vulnerabilities Oracle Critical Patch Update Advisory - April 2022 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle.com/security-alerts/cpuoct2020.html Vulnerable Configuration: Configuration 1 :cpe:/a:apache:camel:*:*:*:*:*:*:*:* (Version >= 2.22.0 and <= 3.1.0)Configuration 2 :cpe:/a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:* OR cpe:/a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.2.2) OR cpe:/a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.1.0) OR cpe:/a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:* (Version >= 8.2.0 and <= 8.2.3) Configuration CCN 1 :cpe:/a:apache:camel:2.22.0:*:*:*:*:*:*:* OR cpe:/a:apache:camel:2.23.0:*:*:*:*:*:*:* OR cpe:/a:apache:camel:2.24.0:*:*:*:*:*:*:* OR cpe:/a:apache:camel:2.25.0:*:*:*:*:*:*:* OR cpe:/a:apache:camel:3.0.0:-:*:*:*:*:*:* OR cpe:/a:apache:camel:3.1.0:*:*:*:*:*:*:* AND cpe:/a:ibm:tivoli_netcool/impact:7.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_netcool/omnibus:8.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:operations_analytics_predictive_insights:1.3.6:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_monitoring:6.3.0.7:*:*:*:*:*:*:* OR cpe:/a:ibm:jazz_for_service_management:1.1.3:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.6:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.5.0:-:*:*:*:*:*:* BACK
apache camel *
oracle flexcube private banking 12.1.0
oracle flexcube private banking 12.0.0
oracle enterprise manager base platform 13.3.0.0
oracle enterprise manager base platform 13.4.0.0
oracle communications diameter signaling router *
oracle communications diameter intelligence hub *
oracle communications diameter intelligence hub *
apache camel 2.22.0
apache camel 2.23.0
apache camel 2.24.0
apache camel 2.25.0
apache camel 3.0.0 -
apache camel 3.1.0
ibm tivoli netcool/impact 7.1.0
ibm tivoli netcool/omnibus 8.1.0
ibm operations analytics predictive insights 1.3.6
ibm tivoli monitoring 6.3.0.7
ibm jazz for service management 1.1.3
ibm data risk manager 2.0.6
ibm qradar security information and event manager 7.5.0 -
Denotes that component is vulnerable