Apache Camel security advisory: CVE-2015-0263

Severity

MEDIUM

Summary

The XML converter setup in Apache Camel allows remote attackers to read arbitrary files via an SAXSource containing an XML External Entity (XXE) declaration.

Versions affected

2.13.0 up to 2.13.3, 2.14.0 up to 2.14.1

Versions fixed

2.13.4, 2.14.2, 2.15.0 and newer

Description

The XML converter setup in Apache Camel allows remote attackers to read arbitrary files via an SAXSource containing an XML External Entity (XXE) declaration.

Mitigation

2.13.x users should upgrade to 2.13.4, 2.14.x users should upgrade to 2.14.2. This patch will be included from Camel 2.15.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36

Credit

This issue was discovered by Stephan Siano.

References

PGP signed advisory data: CVE-2015-0263.txt.asc
Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0263