Apache Camel security advisory: CVE-2015-0264

Severity

MEDIUM

Summary

The XPath handling in Apache Camel for invalid XML Strings or invalid XML GenericFile objects allows remote attackers to read arbitrary files via an XML External Entity (XXE) declaration. The XML External Entity (XXE) will be resolved before the Exception is thrown.

Versions affected

2.13.0 up to 2.13.3, 2.14.0 up to 2.14.1

Versions fixed

2.13.4, 2.14.2, 2.15.0 and newer

Description

The XPath handling in Apache Camel for invalid XML Strings or invalid XML GenericFile objects allows remote attackers to read arbitrary files via an XML External Entity (XXE) declaration. The XML External Entity (XXE) will be resolved before the Exception is thrown.

Mitigation

2.13.x users should upgrade to 2.13.4, 2.14.x users should upgrade to 2.14.2. This patch will be included from Camel 2.15.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=1df559649a96a1ca0368373387e542f46e4820da

Credit

This issue was discovered by Stephan Siano.

References

PGP signed advisory data: CVE-2015-0264.txt.asc
Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0264
Edit this Page Back to top