-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2020-11994: Server-Side Template Injection and arbitrary file disclosure on Camel templating components

Severity: MEDIUM

Vendor: The Apache Software Foundation

Versions Affected: Camel 2.25.0 to 2.25.1, Camel 3.0.0 to 3.3.0. The unsupported Camel 2.x (2.24 and earlier) versions may be also affected.

Description: Server-Side Template Injection and arbitrary file disclosure on Camel templating components

Mitigation: 2.x users should upgrade to 2.25.2, 3.x users should upgrade to 3.4.0 The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-15013 and https://issues.apache.org/jira/browse/CAMEL-15050 refer to the various commits that resolved the issue, and have more details.

Credit: This issue was discovered by GHSL team member @pwntester (Alvaro Muñoz)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJfBbyHAAoJEONOnzgC/0EAjFgH/2nKHQgMOtQLVI8T5IMVbCvO
tLnrBYrLpC/ukVXlSM69YeJ7wOXRR2cb8Zml43sQEmGsEe8cbIYo0Gh9nAKRTU0X
Ypz/waFZ6EB51PmCRVm1ZLRbe9sbyHEmN/H1TMNymqQIzubaASEf9HtdOKJstqS0
IRIYdBA7N4W+ixh1NlkBJFzN/Kbnmw20ccnZmF0LCNCDkeMvIFJaXMu1qSBkDKm0
oFIoTxqucGt7NMCeld4XdLTF6hCHTigRTtNi8PHs0DGkdZEEJye5Ap3URSylycht
8i9H3B1FNvabdoseybeDc1vkZQOBXUbIMTtukldWnr0NigrnKUQs+iqS1wNrO+M=
=yx2t
-----END PGP SIGNATURE-----