OR
     *cpe:2.3:a:apache:camel:2.14.4:*:*:*:*:*:*:* (and previous)
     *cpe:2.3:a:apache:camel:2.16.0:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:camel:2.16.1:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:camel:2.16.2:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:camel:2.16.3:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:camel:2.16.4:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:camel:2.17.0:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:camel:2.17.1:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:camel:2.17.2:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:camel:2.17.3:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:camel:2.17.4:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:camel:2.18.0:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:camel:2.18.1:*:*:*:*:*:*:*

(AV:N/AC:L/Au:N/C:P/I:P/A:P)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502

Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialization vulnerability. Camel allows to specify such a type through the 'CamelJacksonUnmarshalType' property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.

** REJECT **  DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: CVE-2016-9606.  Reason: This candidate is a duplicate of CVE-2016-9606.  Reason: this ID was intended for one issue, but was associated with two issues.  Notes: All CVE users should reference CVE-2016-9606 instead of this candidate.  All references and descriptions in this candidate have been removed to prevent accidental usage.

true

false

http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc?version=2&modificationDate=1486565034000&api=v2 [Vendor Advisory]

http://www.securityfocus.com/bid/94940 [No Types Assigned]