Red Hat Integration: 3.20.1 Important: Remote Code Execution & DoS

This release of Camel for Spring Boot 3.20.1 serves as a replacement for Camel for Spring Boot 3.18.3 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
The purpose of this text-only errata is to inform you about the security issues fixed.
Security Fix(es):
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* JXPath: untrusted XPath expressions may lead to RCE attack (CVE-2022-41852)
* hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)
* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* apache-commons-net: FTP client trusts the host from PASV response by default (CVE-2021-37533)
* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)
* apache-spark: XSS vulnerability in log viewer UI Javascript (CVE-2022-31777)
* Apache Pulsar: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM (CVE-2022-33681)
* apache-ivy: Directory Traversal (CVE-2022-37865)
* : Apache Ivy: Ivy Path traversal (CVE-2022-37866)
* batik: Server-Side Request Forgery (CVE-2022-38398)
* batik: Server-Side Request Forgery (CVE-2022-38648)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)
* scandium: Failing DTLS handshakes may cause throttling to block processing of records (CVE-2022-39368)
* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)
* batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704)
* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890)
* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
* shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602)
* Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20863)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.