Описание
XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.
It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Enterprise 1 | camel | Will not fix | ||
| Red Hat JBoss Enterprise Web Server 1 | amq-6 | Affected | ||
| Red Hat JBoss Enterprise Web Server 1 | fuse-6 | Affected | ||
| Red Hat JBoss Enterprise Web Server 1 | fuse-esb-7 | Will not fix | ||
| Red Hat JBoss Enterprise Web Server 1 | fuse-mq-7 | Will not fix | ||
| Red Hat OpenShift Enterprise 2 | camel | Affected | ||
| Red Hat JBoss A-MQ 6.1 | Fixed | RHSA-2015:1041 | 01.06.2015 | |
| Red Hat JBoss BPMS 6.0 | Camel | Fixed | RHSA-2015:1539 | 03.08.2015 |
| Red Hat JBoss BRMS 6.0 | Camel | Fixed | RHSA-2015:1538 | 03.08.2015 |
| Red Hat JBoss Fuse 6.1 | Fixed | RHSA-2015:1041 | 01.06.2015 |
Показывать по
Дополнительная информация
Статус:
EPSS
5 Medium
CVSS2
Связанные уязвимости
XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.
EPSS
5 Medium
CVSS2