1855786 – (CVE-2020-11994) CVE-2020-11994 camel: server-side template injection and arbitrary file disclosure on templating components

Bug 1855786 (CVE-2020-11994) - CVE-2020-11994 camel: server-side template injection and arbitrary file disclosure on templating components

Summary: CVE-2020-11994 camel: server-side template injection and arbitrary file discl...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-11994
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1855787
TreeView+	depends on / blocked

Reported:	2020-07-10 13:49 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-12-15 18:26 UTC (History)
CC List:	34 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2020-09-01 19:17:28 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:3587	0	None	None	None	2020-09-01 14:41:18 UTC
Red Hat Product Errata	RHSA-2020:5568	0	None	None	None	2020-12-16 12:14:44 UTC

Description Guilherme de Almeida Suckevicz 2020-07-10 13:49:04 UTC

Server-Side Template Injection and arbitrary file disclosure on Camel templating components.

Reference:
https://camel.apache.org/security/CVE-2020-11994.html

Comment 4 Jonathan Christison 2020-07-17 12:49:53 UTC

Red Hat AMQ 6 as affected but at a lower impact, It is delivery linked with Fuse 6 and so distributes Camel and its components but this vulnerability does not directly affect ActiveMQ components themselves and only affects camel template components: 

 - freemarker 
 - velocity 
 - mvel 
 - mustache 
 - string-template 
 - chunk 
 - jolt 
 - jslt 


This vulnerability is out of security support scope for the following products:
 * Red Hat AMQ 6
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss BPM Suite 6

Comment 6 errata-xmlrpc 2020-09-01 14:41:15 UTC

This issue has been addressed in the following products:

  Red Hat Fuse 6.3

Via RHSA-2020:3587 https://access.redhat.com/errata/RHSA-2020:3587

Comment 7 Product Security DevOps Team 2020-09-01 19:17:28 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11994

Comment 8 errata-xmlrpc 2020-12-16 12:14:36 UTC

This issue has been addressed in the following products:

  Red Hat Fuse 7.8.0

Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568

Note You need to log in before you can comment on or make changes to this bug.

aileenc
akoufoud
alazarot
almorale
anstephe
ataylor
chazlett
drieden
etirelli
ganandan
ggaughan
gmalinko
gvarsami
ibek
janstey
jcoleman
jochrist
jstastny
jwon
kconner
krathod
kverlaen
ldimaggi
mnovotny
nwallace
paradhya
pjindal
rrajasek
rsynek
rwagner
sdaley
tcunning
tkirby
yozone