Impact
The vulnerability exists in the Apache Camel PQC component where persisted post‑quantum key metadata is deserialized with raw Java ObjectInputStream without a filter, allowing a crafted serialized object to be executed during normal key‑lifecycle operations. An attacker with permission to write to the AWS Secrets Manager secret that stores this metadata can inject malicious code that will run in the application’s context when the secret is read. The flaw is categorized as untrusted data deserialization (CWE‑502).
Affected Systems
This issue affects Apache Camel versions 4.18.0 through 4.18.2 and 4.19.0 through 4.20.9. The affected vendor is the Apache Software Foundation; the product is Apache Camel.
Risk and Exploitability
The probability of exploitation is low (EPSS < 1 %) and the vulnerability is not listed in CISA’s KEV catalogue, yet the impact of remote code execution is severe. The attack vector requires Write access to the specific Secrets Manager secret, so the risk is limited to environments where the secret can be modified by untrusted entities. Upgrading to a patched release eliminates the flaw, while a temporary mitigation is to enforce least‑privilege IAM on the secret.
OpenCVE Enrichment