Описание
Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.
It was found that Apache Camel's validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). The vulnerability is not given for SAX or StAX sources.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss A-MQ 6 | camel | Affected | ||
| Red Hat JBoss BRMS 5 | camel-core | Will not fix | ||
| Red Hat JBoss Data Grid 6 | camel-core | Out of support scope | ||
| Red Hat JBoss Fuse Service Works 6 | camel-core | Affected | ||
| Red Hat JBoss SOA Platform 5 | camel-core | Will not fix | ||
| Red Hat OpenShift Enterprise 2 | camel-core | Will not fix | ||
| Red Hat JBoss A-MQ 6.3 | camel | Fixed | RHSA-2017:1832 | 10.08.2017 |
| Red Hat JBoss Fuse 6.3 | camel | Fixed | RHSA-2017:1832 | 10.08.2017 |
Показывать по
10
Дополнительная информация
Статус:
Moderate
Дефект:
CWE-918
https://bugzilla.redhat.com/show_bug.cgi?id=1433374camel-core: Validation component vulnerable to SSRF via remote DTDs and XXE
6.5 Medium
CVSS3
Связанные уязвимости
CVSS3: 7.4
nvd
почти 9 лет назад
Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.
CVSS3: 7.4
github
больше 7 лет назад
Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.
6.5 Medium
CVSS3