GitHub Advisory DatabaseGHSA-MHX2-R3JX-G94CApache Camel allows remote actor to read arbitrary files via external entity in invalid XML string or GenericFile object
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
71.6%
Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| org.apache.camel | camel-core | * | cpe:2.3:a:org.apache.camel:camel-core:*:*:*:*:*:*:*:* |
References
rhn.redhat.com/errata/RHSA-2015-1041.html
rhn.redhat.com/errata/RHSA-2015-1538.html
rhn.redhat.com/errata/RHSA-2015-1539.html
securitytracker.com/id/1032442
camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc
git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=1df559649a96a1ca0368373387e542f46e4820da
github.com/advisories/GHSA-mhx2-r3jx-g94c
github.com/apache/camel/commit/7360aada5154434c68774aa30e0f21ddc5f27b9f
github.com/apache/camel/commit/b47b51a195b38e7ab7c099d19910af70a16638f6
issues.apache.org/jira/browse/CAMEL-8312
lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E
lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2015-0264
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
71.6%