Apache Camel security advisory: CVE-2015-0263
Severity
MEDIUMSummary
The XML converter setup in Apache Camel allows remote attackers to read arbitrary files via an SAXSource containing an XML External Entity (XXE) declaration.Versions affected
2.13.0 up to 2.13.3, 2.14.0 up to 2.14.1Versions fixed
2.13.4, 2.14.2, 2.15.0 and newerDescription
The XML converter setup in Apache Camel allows remote attackers to read arbitrary files via an SAXSource containing an XML External Entity (XXE) declaration.Mitigation
2.13.x users should upgrade to 2.13.4, 2.14.x users should upgrade to 2.14.2. This patch will be included from Camel 2.15.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36Credit
This issue was discovered by Stephan Siano.References
- PGP signed advisory data: CVE-2015-0263.txt.asc
- Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0263