Lucene search

Veracode Vulnerability DatabaseVERACODE:3675

HistoryMar 17, 2017 - 8:03 a.m.

Server-Side Request Forgery (SSRF)

2017-03-1708:03:31

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

JSON

Apache Camel is vulnerable to Server-Side Request Forgery (SSRF) via remote DTDs URLs or XML External Entities (XXE). This is because the validation component of Apache Camel evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can exploit it to make Server-Side Request Forgery attacks by sending XML documents with remote DTDs URLs or XML External Entities. The vulnerability is not given for SAX or StAX sources.

CPENameOperatorVersion
camel :: corele2.18.2
camel :: corele2.17.5

CPE	Name	Operator	Version
	camel :: core	le	2.18.2
	camel :: core	le	2.17.5

References

camel.apache.org/security-advisories.data/CVE-2017-5643.txt.asc?version=1&modificationDate=1489652454000&api=v2

issues.apache.org/jira/browse/CAMEL-10894

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

JSON

Related for VERACODE:3675