CVE-2020-11994

Name: CVE-2020-11994
Creator: NVD / NIST
Published: 2020-07-08T16:15:11.01+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 4.49%

Last modified Jun 17, 2026

CVE-2020-11994 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Server-Side Template Injection and arbitrary file disclosure on Camel templating components. EPSS estimates a 4.49% chance of exploitation in the next 30 days.

Description

Server-Side Template Injection and arbitrary file disclosure on Camel templating components

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

4.49%

90.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-74

Affected Software

Vendor	Product	Versions
Apache	Camel	>= 2.22.0, <= 2.22.5
Apache	Camel	>= 2.23.0, <= 2.23.4
Apache	Camel	>= 2.24.0, <= 2.24.3
Apache	Camel	>= 3.0.0, <= 3.3.0
Apache	Camel	2.25.0
Apache	Camel	2.25.1
Oracle	Communications Diameter Signaling Router	>= 8.0.0, <= 8.5.0
Oracle	Enterprise Manager Base Platform	13.4.0.0
Oracle	Enterprise Repository	11.1.1.7.0

References

https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600%40%3Cannounce.tomcat.apache.org%3E
https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600%40%3Cannounce.tomcat.apache.org%3E
https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory

Timeline

Published: Jul 8, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-11994?

Server-Side Template Injection and arbitrary file disclosure on Camel templating components

How severe is CVE-2020-11994?

CVE-2020-11994 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 4.49% probability of exploitation in the next 30 days.

How do I fix CVE-2020-11994?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-11994?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST