Impact
Apache Camel’s Camel‑PQC component persists key lifecycle metadata using unfiltered java.io.ObjectInputStream deserialization. A crafted serialized object placed in the configured secret backend, such as HashiCorp Vault or AWS Secrets Manager, is read during normal key‑lifecycle operations before any type validation occurs. This flaw, classified as CWE‑502, enables arbitrary code execution in the context of the Camel application that manages the keys.
Affected Systems
Affected systems are the Apache Camel product from the Apache Software Foundation. Vulnerable versions include 4.18.0 through 4.18.2 and 4.19.0 through 4.20.x. Updates to 4.21.0 (or 4.18.3 for the 4.18.x LTS stream) contain the fix.
Risk and Exploitability
Risk and exploitability: The EPSS score is less than 1 %, indicating a low but non‑zero likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit this flaw only if they can write to the operator‑controlled secret backend that holds the serialized metadata, such as by obtaining a Vault token with write permissions or an IAM user/role with secretsmanager:PutSecretValue rights. Successful exploitation would allow full control over the Camel host process.
OpenCVE Enrichment