Vulnerabilites related to Apache Software Foundation - Apache Camel
cve-2017-12633
Vulnerability from cvelistv5
Published
2017-11-15 15:00
Modified
2024-09-16 22:25
Severity ?
EPSS score ?
Summary
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/101874 | vdb-entry, x_refsource_BID | |
| https://access.redhat.com/errata/RHSA-2018:0319 | vendor-advisory, x_refsource_REDHAT | |
| https://issues.apache.org/jira/browse/CAMEL-11923 | x_refsource_CONFIRM | |
| http://camel.apache.org/security-advisories.data/CVE-2017-12633.txt.asc | x_refsource_CONFIRM | |
| https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Camel |
Version: 2.19.0 to 2.19.3 Version: 2.20.0 Version: The unsupported Camel 2.x (2.18 and earlier) versions may be also affected. |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T18:43:56.449Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "101874", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/101874", }, { name: "RHSA-2018:0319", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:0319", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://issues.apache.org/jira/browse/CAMEL-11923", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://camel.apache.org/security-advisories.data/CVE-2017-12633.txt.asc", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Camel", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "2.19.0 to 2.19.3", }, { status: "affected", version: "2.20.0", }, { status: "affected", version: "The unsupported Camel 2.x (2.18 and earlier) versions may be also affected.", }, ], }, ], datePublic: "2017-11-15T00:00:00", descriptions: [ { lang: "en", value: "The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.", }, ], problemTypes: [ { descriptions: [ { description: "Apache Camel's Hessian unmarshalling operation is vulnerable to Remote Code Execution attacks", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-05-24T10:06:04", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "101874", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/101874", }, { name: "RHSA-2018:0319", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:0319", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://issues.apache.org/jira/browse/CAMEL-11923", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://camel.apache.org/security-advisories.data/CVE-2017-12633.txt.asc", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", DATE_PUBLIC: "2017-11-15T00:00:00", ID: "CVE-2017-12633", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Camel", version: { version_data: [ { version_value: "2.19.0 to 2.19.3", }, { version_value: "2.20.0", }, { version_value: "The unsupported Camel 2.x (2.18 and earlier) versions may be also affected.", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Apache Camel's Hessian unmarshalling operation is vulnerable to Remote Code Execution attacks", }, ], }, ], }, references: { reference_data: [ { name: "101874", refsource: "BID", url: "http://www.securityfocus.com/bid/101874", }, { name: "RHSA-2018:0319", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:0319", }, { name: "https://issues.apache.org/jira/browse/CAMEL-11923", refsource: "CONFIRM", url: "https://issues.apache.org/jira/browse/CAMEL-11923", }, { name: "http://camel.apache.org/security-advisories.data/CVE-2017-12633.txt.asc", refsource: "CONFIRM", url: "http://camel.apache.org/security-advisories.data/CVE-2017-12633.txt.asc", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2017-12633", datePublished: "2017-11-15T15:00:00Z", dateReserved: "2017-08-07T00:00:00", dateUpdated: "2024-09-16T22:25:45.252Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-8749
Vulnerability from cvelistv5
Published
2017-03-28 18:00
Modified
2024-08-06 02:35
Severity ?
EPSS score ?
Summary
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2017:1832 | vendor-advisory, x_refsource_REDHAT | |
| https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true | x_refsource_MISC | |
| http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc?version=2&modificationDate=1486565034000&api=v2 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/97179 | vdb-entry, x_refsource_BID | |
| http://www.openwall.com/lists/oss-security/2017/05/22/2 | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Camel |
Version: 2.16.0 to 2.16.4 Version: 2.17.0 to 2.17.4 Version: 2.18.0 to 2.18.1 Version: The unsupported Camel 2.x (2.14 and earlier) versions may be also affected. |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T02:35:00.312Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2017:1832", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:1832", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc?version=2&modificationDate=1486565034000&api=v2", }, { name: "97179", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/97179", }, { name: "[oss-security] 20170522 Code Execution through a variety Java (Un-)Marshallers", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2017/05/22/2", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Camel", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "2.16.0 to 2.16.4", }, { status: "affected", version: "2.17.0 to 2.17.4", }, { status: "affected", version: "2.18.0 to 2.18.1", }, { status: "affected", version: "The unsupported Camel 2.x (2.14 and earlier) versions may be also affected.", }, ], }, ], datePublic: "2017-03-16T00:00:00", descriptions: [ { lang: "en", value: "Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.", }, ], problemTypes: [ { descriptions: [ { description: "remote code execution", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-05-24T10:06:03", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "RHSA-2017:1832", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:1832", }, { tags: [ "x_refsource_MISC", ], url: "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc?version=2&modificationDate=1486565034000&api=v2", }, { name: "97179", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/97179", }, { name: "[oss-security] 20170522 Code Execution through a variety Java (Un-)Marshallers", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2017/05/22/2", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2016-8749", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Camel", version: { version_data: [ { version_value: "2.16.0 to 2.16.4", }, { version_value: "2.17.0 to 2.17.4", }, { version_value: "2.18.0 to 2.18.1", }, { version_value: "The unsupported Camel 2.x (2.14 and earlier) versions may be also affected.", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "remote code execution", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2017:1832", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:1832", }, { name: "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true", refsource: "MISC", url: "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true", }, { name: "http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc?version=2&modificationDate=1486565034000&api=v2", refsource: "CONFIRM", url: "http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc?version=2&modificationDate=1486565034000&api=v2", }, { name: "97179", refsource: "BID", url: "http://www.securityfocus.com/bid/97179", }, { name: "[oss-security] 20170522 Code Execution through a variety Java (Un-)Marshallers", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2017/05/22/2", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2016-8749", datePublished: "2017-03-28T18:00:00", dateReserved: "2016-10-18T00:00:00", dateUpdated: "2024-08-06T02:35:00.312Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-5643
Vulnerability from cvelistv5
Published
2017-03-16 15:00
Modified
2024-08-05 15:04
Severity ?
EPSS score ?
Summary
Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/97226 | vdb-entry, x_refsource_BID | |
| https://access.redhat.com/errata/RHSA-2017:1832 | vendor-advisory, x_refsource_REDHAT | |
| http://camel.apache.org/security-advisories.data/CVE-2017-5643.txt.asc?version=1&modificationDate=1489652454000&api=v2 | x_refsource_CONFIRM | |
| https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Camel |
Version: 2.17.0 to 2.17.5 Version: 2.18.0 to 2.18.2 Version: The unsupported Camel 2.x (2.16 and earlier) versions may be also affected. |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T15:04:15.368Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "97226", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/97226", }, { name: "RHSA-2017:1832", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:1832", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://camel.apache.org/security-advisories.data/CVE-2017-5643.txt.asc?version=1&modificationDate=1489652454000&api=v2", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Camel", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "2.17.0 to 2.17.5", }, { status: "affected", version: "2.18.0 to 2.18.2", }, { status: "affected", version: "The unsupported Camel 2.x (2.16 and earlier) versions may be also affected.", }, ], }, ], datePublic: "2017-03-16T00:00:00", descriptions: [ { lang: "en", value: "Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.", }, ], problemTypes: [ { descriptions: [ { description: "SSRF", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-05-24T10:06:04", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "97226", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/97226", }, { name: "RHSA-2017:1832", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:1832", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://camel.apache.org/security-advisories.data/CVE-2017-5643.txt.asc?version=1&modificationDate=1489652454000&api=v2", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2017-5643", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Camel", version: { version_data: [ { version_value: "2.17.0 to 2.17.5", }, { version_value: "2.18.0 to 2.18.2", }, { version_value: "The unsupported Camel 2.x (2.16 and earlier) versions may be also affected.", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "SSRF", }, ], }, ], }, references: { reference_data: [ { name: "97226", refsource: "BID", url: "http://www.securityfocus.com/bid/97226", }, { name: "RHSA-2017:1832", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:1832", }, { name: "http://camel.apache.org/security-advisories.data/CVE-2017-5643.txt.asc?version=1&modificationDate=1489652454000&api=v2", refsource: "CONFIRM", url: "http://camel.apache.org/security-advisories.data/CVE-2017-5643.txt.asc?version=1&modificationDate=1489652454000&api=v2", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2017-5643", datePublished: "2017-03-16T15:00:00", dateReserved: "2017-01-29T00:00:00", dateUpdated: "2024-08-05T15:04:15.368Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-22371
Vulnerability from cvelistv5
Published
2024-02-26 09:22
Modified
2024-10-31 13:03
Severity ?
EPSS score ?
Summary
Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0.
Users are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4 or 4.4.0, which fixes the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://camel.apache.org/security/CVE-2024-22371.html | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Camel |
Version: 3.21.x ≤ 3.21.3 Version: 3.22.x ≤ 3.22.0 Version: 4.0.x ≤ 4.0.3 Version: 4.x ≤ 4.3.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T22:43:34.525Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://camel.apache.org/security/CVE-2024-22371.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-22371", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-08-05T14:48:22.345763Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-922", description: "CWE-922 Insecure Storage of Sensitive Information", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-10-31T13:03:53.000Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Camel", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "1.6.0", status: "unaffected", version: "1.x", versionType: "semver", }, { lessThanOrEqual: "3.21.3", status: "affected", version: "3.21.x", versionType: "semver", }, { lessThanOrEqual: "3.22.0", status: "affected", version: "3.22.x", versionType: "semver", }, { lessThanOrEqual: "4.0.3", status: "affected", version: "4.0.x", versionType: "semver", }, { lessThanOrEqual: "4.3.0", status: "affected", version: "4.x", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Otavio Rodolfo Piske from the Apache Software Foundation", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.<p>This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0.</p><p>Users are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4 or 4.4.0, which fixes the issue.</p>", }, ], value: "Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0.\n\nUsers are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4 or 4.4.0, which fixes the issue.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 2.9, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "Low", }, ], }, ], problemTypes: [ { descriptions: [ { description: "Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data.", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-26T09:22:38.384Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://camel.apache.org/security/CVE-2024-22371.html", }, ], source: { defect: [ "CAMEL-20305", ], discovery: "INTERNAL", }, title: "Apache Camel issue on ExchangeCreatedEvent", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2024-22371", datePublished: "2024-02-26T09:22:38.384Z", dateReserved: "2024-01-09T12:04:27.624Z", dateUpdated: "2024-10-31T13:03:53.000Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-8041
Vulnerability from cvelistv5
Published
2018-09-17 14:00
Modified
2024-09-17 04:29
Severity ?
EPSS score ?
Summary
Apache Camel's Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path traversal.
References
| ▼ | URL | Tags |
|---|---|---|
| http://camel.apache.org/security-advisories.data/CVE-2018-8041.txt.asc?version=1&modificationDate=1536746339000&api=v2 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/105352 | vdb-entry, x_refsource_BID | |
| https://issues.apache.org/jira/browse/CAMEL-12630 | x_refsource_CONFIRM | |
| https://access.redhat.com/errata/RHSA-2018:3768 | vendor-advisory, x_refsource_REDHAT | |
| https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Camel |
Version: Camel 2.20.0 to 2.20.3, Camel 2.21.0 to 2.21.1 and Camel 2.22.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T06:46:13.596Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://camel.apache.org/security-advisories.data/CVE-2018-8041.txt.asc?version=1&modificationDate=1536746339000&api=v2", }, { name: "105352", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/105352", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://issues.apache.org/jira/browse/CAMEL-12630", }, { name: "RHSA-2018:3768", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:3768", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Camel", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "Camel 2.20.0 to 2.20.3, Camel 2.21.0 to 2.21.1 and Camel 2.22.0", }, ], }, ], datePublic: "2018-07-09T00:00:00", descriptions: [ { lang: "en", value: "Apache Camel's Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path traversal.", }, ], problemTypes: [ { descriptions: [ { description: "Path traversal", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-05-24T10:06:03", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://camel.apache.org/security-advisories.data/CVE-2018-8041.txt.asc?version=1&modificationDate=1536746339000&api=v2", }, { name: "105352", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/105352", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://issues.apache.org/jira/browse/CAMEL-12630", }, { name: "RHSA-2018:3768", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:3768", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", DATE_PUBLIC: "2018-07-09T00:00:00", ID: "CVE-2018-8041", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Camel", version: { version_data: [ { version_value: "Camel 2.20.0 to 2.20.3, Camel 2.21.0 to 2.21.1 and Camel 2.22.0", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Camel's Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path traversal.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Path traversal", }, ], }, ], }, references: { reference_data: [ { name: "http://camel.apache.org/security-advisories.data/CVE-2018-8041.txt.asc?version=1&modificationDate=1536746339000&api=v2", refsource: "CONFIRM", url: "http://camel.apache.org/security-advisories.data/CVE-2018-8041.txt.asc?version=1&modificationDate=1536746339000&api=v2", }, { name: "105352", refsource: "BID", url: "http://www.securityfocus.com/bid/105352", }, { name: "https://issues.apache.org/jira/browse/CAMEL-12630", refsource: "CONFIRM", url: "https://issues.apache.org/jira/browse/CAMEL-12630", }, { name: "RHSA-2018:3768", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:3768", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2018-8041", datePublished: "2018-09-17T14:00:00Z", dateReserved: "2018-03-09T00:00:00", dateUpdated: "2024-09-17T04:29:13.153Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2025-27636
Vulnerability from cvelistv5
Published
2025-03-09 12:09
Modified
2025-03-17 14:42
Severity ?
EPSS score ?
Summary
Bypass/Injection vulnerability in Apache Camel components under particular conditions.
This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.
Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.
This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific
headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method
on the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send
the message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component
The attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are
directly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests
that are send to the Camel application.
All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.
In these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.
In terms of usage of the default header filter strategy the list of components using that is:
* camel-activemq
* camel-activemq6
* camel-amqp
* camel-aws2-sqs
* camel-azure-servicebus
* camel-cxf-rest
* camel-cxf-soap
* camel-http
* camel-jetty
* camel-jms
* camel-kafka
* camel-knative
* camel-mail
* camel-nats
* camel-netty-http
* camel-platform-http
* camel-rest
* camel-sjms
* camel-spring-rabbitmq
* camel-stomp
* camel-tahu
* camel-undertow
* camel-xmpp
The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with "Camel", "camel", or "org.apache.camel.".
Mitigation: You can easily work around this in your Camel applications by removing the headers in your Camel routes. There are many ways of doing this, also globally or per route. This means you could use the removeHeaders EIP, to filter out anything like "cAmel, cAMEL" etc, or in general everything not starting with "Camel", "camel" or "org.apache.camel.".
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw610y693z | vendor-advisory | |
| https://issues.apache.org/jira/browse/CAMEL-21828 | issue-tracking | |
| https://camel.apache.org/security/CVE-2025-27636.html | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Camel |
Version: 4.10.0 ≤ Version: 4.8.0 ≤ Version: 3.10.0 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2025-03-09T17:02:21.478Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { url: "http://www.openwall.com/lists/oss-security/2025/03/09/1", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.6, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, }, { other: { content: { id: "CVE-2025-27636", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-10T18:51:57.713279Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-178", description: "CWE-178 Improper Handling of Case Sensitivity", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-10T18:56:43.452Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, references: [ { tags: [ "exploit", ], url: "https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC/blob/main/src/main/java/com/example/camel/VulnerableCamel.java", }, { tags: [ "vendor-advisory", ], url: "https://camel.apache.org/security/CVE-2025-27636.txt.asc", }, ], title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://repo.maven.apache.org/maven2", defaultStatus: "unaffected", packageName: "org.apache.camel:camel", product: "Apache Camel", vendor: "Apache Software Foundation", versions: [ { lessThan: "4.10.2", status: "affected", version: "4.10.0", versionType: "semver", }, { lessThan: "4.8.5", status: "affected", version: "4.8.0", versionType: "semver", }, { lessThan: "3.22.4", status: "affected", version: "3.10.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Mark Thorson", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Bypass/Injection vulnerability in Apache Camel components under particular conditions.</p><p>This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.</p><p>Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.</p><div></div><div>This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific</div><div>headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method</div><div>on the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send</div><div>the message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component</div><div><br></div><div>The attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are</div><div>directly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests</div><div>that are send to the Camel application.</div><div><br></div>All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.<br><br>In these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.<br><br><div>In terms of usage of the default header filter strategy the list of components using that is: <br></div><div><div><ul><li>camel-activemq</li><li>camel-activemq6</li><li>camel-amqp</li><li>camel-aws2-sqs</li><li>camel-azure-servicebus</li><li>camel-cxf-rest</li><li>camel-cxf-soap</li><li>camel-http</li><li>camel-jetty</li><li>camel-jms</li><li>camel-kafka</li><li>camel-knative</li><li>camel-mail</li><li>camel-nats</li><li>camel-netty-http</li><li>camel-platform-http</li><li>camel-rest</li><li>camel-sjms</li><li>camel-spring-rabbitmq</li><li>camel-stomp</li><li>camel-tahu</li><li>camel-undertow</li><li>camel-xmpp</li></ul></div></div><div>The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with \"Camel\", \"camel\", or \"org.apache.camel.\". </div><br><div><span style=\"background-color: var(--wht);\">Mitigation: </span>You can easily work around this in your Camel applications by removing the headers in your Camel routes. There are many ways of doing this, also globally or per route. This means you could use the removeHeaders EIP, to filter out anything like \"cAmel, cAMEL\" etc, or in general everything not starting with \"Camel\", \"camel\" or \"org.apache.camel.\". <br></div><br>", }, ], value: "Bypass/Injection vulnerability in Apache Camel components under particular conditions.\n\nThis issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.\n\nUsers are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.\n\n\n\nThis vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific\n\nheaders that for some Camel components can alter the behaviours such as the camel-bean component, to call another method\n\non the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send\n\nthe message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component\n\n\n\n\nThe attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are\n\ndirectly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests\n\nthat are send to the Camel application.\n\n\n\n\nAll the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.\n\nIn these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.\n\nIn terms of usage of the default header filter strategy the list of components using that is: \n\n\n * camel-activemq\n * camel-activemq6\n * camel-amqp\n * camel-aws2-sqs\n * camel-azure-servicebus\n * camel-cxf-rest\n * camel-cxf-soap\n * camel-http\n * camel-jetty\n * camel-jms\n * camel-kafka\n * camel-knative\n * camel-mail\n * camel-nats\n * camel-netty-http\n * camel-platform-http\n * camel-rest\n * camel-sjms\n * camel-spring-rabbitmq\n * camel-stomp\n * camel-tahu\n * camel-undertow\n * camel-xmpp\n\n\n\n\n\n\nThe vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with \"Camel\", \"camel\", or \"org.apache.camel.\". \n\n\nMitigation: You can easily work around this in your Camel applications by removing the headers in your Camel routes. There are many ways of doing this, also globally or per route. This means you could use the removeHeaders EIP, to filter out anything like \"cAmel, cAMEL\" etc, or in general everything not starting with \"Camel\", \"camel\" or \"org.apache.camel.\".", }, ], metrics: [ { other: { content: { text: "moderate", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { description: "Bypass/Injection", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-17T14:42:57.795Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw610y693z", }, { tags: [ "issue-tracking", ], url: "https://issues.apache.org/jira/browse/CAMEL-21828", }, { tags: [ "vendor-advisory", ], url: "https://camel.apache.org/security/CVE-2025-27636.html", }, ], source: { defect: [ "CAMEL-21828", ], discovery: "UNKNOWN", }, title: "Apache Camel: Camel Message Header Injection via Improper Filtering", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2025-27636", datePublished: "2025-03-09T12:09:58.619Z", dateReserved: "2025-03-04T11:56:29.254Z", dateUpdated: "2025-03-17T14:42:57.795Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2025-30177
Vulnerability from cvelistv5
Published
2025-04-01 11:56
Modified
2025-04-01 18:42
Severity ?
EPSS score ?
Summary
Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions.
This issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6.
Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS.
Camel undertow component is vulnerable to Camel message header injection, in particular the custom header filter strategy used by the component only filter the "out" direction, while it doesn't filter the "in" direction.
This allows an attacker to include Camel specific headers that for some Camel components can alter the behaviour such as the camel-bean component, or the camel-exec component.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Camel |
Version: 4.10.0 ≤ Version: 4.8.0 ≤ |
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2025-30177", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-04-01T18:40:10.405496Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-01T18:42:45.532Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://repo.maven.apache.org/maven2", defaultStatus: "unaffected", packageName: "org.apache.camel:camel-undertow", product: "Apache Camel", vendor: "Apache Software Foundation", versions: [ { lessThan: "4.10.3", status: "affected", version: "4.10.0", versionType: "semver", }, { lessThan: "4.8.6", status: "affected", version: "4.8.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Mark Thorson of AT&T", }, { lang: "en", type: "reporter", value: "Mark Thorson of AT&T", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions.</p><p>This issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6.</p>Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS.<br><br><div>Camel undertow component is vulnerable to Camel message header injection, in particular the custom header filter strategy used by the component only filter the \"out\" direction, while it doesn't filter the \"in\" direction.</div><br>This allows an attacker to include Camel specific headers that for some Camel components can alter the behaviour such as the camel-bean component, or the camel-exec component.<br><br>", }, ], value: "Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions.\n\nThis issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6.\n\nUsers are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS.\n\nCamel undertow component is vulnerable to Camel message header injection, in particular the custom header filter strategy used by the component only filter the \"out\" direction, while it doesn't filter the \"in\" direction.\n\n\nThis allows an attacker to include Camel specific headers that for some Camel components can alter the behaviour such as the camel-bean component, or the camel-exec component.", }, ], metrics: [ { other: { content: { text: "moderate", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { description: "Bypass/Injection", lang: "en", }, ], }, { descriptions: [ { cweId: "CWE-164", description: "CWE-164 Improper Neutralization of Internal Special Elements", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-04-01T11:56:30.484Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "related", ], url: "https://camel.apache.org/security/CVE-2025-27636.html", }, { tags: [ "related", ], url: "https://camel.apache.org/security/CVE-2025-29891.html", }, { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/dj79zdgw01j337lr9gvyy4sv8xfyw8py", }, ], source: { defect: [ "CAMEL-21876", ], discovery: "UNKNOWN", }, title: "Apache Camel: Camel-Undertow Message Header Injection via Improper Filtering", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2025-30177", datePublished: "2025-04-01T11:56:30.484Z", dateReserved: "2025-03-17T14:21:01.706Z", dateUpdated: "2025-04-01T18:42:45.532Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-23114
Vulnerability from cvelistv5
Published
2024-02-20 14:59
Modified
2024-08-28 19:49
Severity ?
EPSS score ?
Summary
Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.
Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1
References
| ▼ | URL | Tags |
|---|---|---|
| https://camel.apache.org/security/CVE-2024-23114.html | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Camel |
Version: 3.0.0 ≤ Version: 3.22.0 ≤ Version: 4.0.0 ≤ Version: 4.1.0 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T22:51:11.265Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://camel.apache.org/security/CVE-2024-23114.html", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "camel", vendor: "apache", versions: [ { lessThan: "3.21.4", status: "affected", version: "3.0.0", versionType: "custom", }, { lessThan: "3.22.1", status: "affected", version: "3.22.0", versionType: "custom", }, { lessThan: "4.0.4", status: "affected", version: "4.0.0", versionType: "custom", }, { lessThan: "4.4.0", status: "affected", version: "4.1.0", versionType: "custom", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2024-23114", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-08-28T19:49:44.817314Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-28T19:49:48.296Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Camel", vendor: "Apache Software Foundation", versions: [ { lessThan: "3.21.4", status: "affected", version: "3.0.0", versionType: "semver", }, { lessThan: "3.22.1", status: "affected", version: "3.22.0", versionType: "semver", }, { lessThan: "4.0.4", status: "affected", version: "4.0.0", versionType: "semver", }, { lessThan: "4.4.0", status: "affected", version: "4.1.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Federico Mariani From Apache Software Foundation", }, { lang: "en", type: "finder", value: "Andrea Cosentino from Apache Software Foundation", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.<p>This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.</p><p>Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1</p>", }, ], value: "Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.\n\nUsers are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1\n\n", }, ], metrics: [ { other: { content: { text: "important", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-20T14:59:38.326Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://camel.apache.org/security/CVE-2024-23114.html", }, ], source: { defect: [ "CAMEL-20306", ], discovery: "INTERNAL", }, title: "Apache Camel: Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2024-23114", datePublished: "2024-02-20T14:59:38.326Z", dateReserved: "2024-01-11T17:22:53.091Z", dateUpdated: "2024-08-28T19:49:48.296Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2025-29891
Vulnerability from cvelistv5
Published
2025-03-12 14:42
Modified
2025-03-19 13:10
Severity ?
EPSS score ?
Summary
Bypass/Injection vulnerability in Apache Camel.
This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4.
Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.
This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component.
If you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Camel application that get translated into headers.
The headers could be both provided as request parameters for an HTTP methods invocation or as part of the payload of the HTTP methods invocation.
All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.
This CVE is related to the CVE-2025-27636: while they have the same root cause and are fixed with the same fix, CVE-2025-27636 was assumed to only be exploitable if an attacker could add malicious HTTP headers, while we have now determined that it is also exploitable via HTTP parameters. Like in CVE-2025-27636, exploitation is only possible if the Camel route uses particular vulnerable components.
References
| ▼ | URL | Tags |
|---|---|---|
| https://camel.apache.org/security/CVE-2025-27636.html | related | |
| https://camel.apache.org/security/CVE-2025-29891.html | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Camel |
Version: 4.10.0 ≤ Version: 4.8.0 ≤ Version: 3.10.0 ≤ |
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", version: "3.1", }, }, { other: { content: { id: "CVE-2025-29891", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-19T13:08:59.375705Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-19T13:10:01.834Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, references: [ { tags: [ "exploit", ], url: "https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC", }, ], title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://repo.maven.apache.org/maven2", defaultStatus: "unaffected", packageName: "org.apache.camel:camel", product: "Apache Camel", vendor: "Apache Software Foundation", versions: [ { lessThan: "4.10.2", status: "affected", version: "4.10.0", versionType: "semver", }, { lessThan: "4.8.5", status: "affected", version: "4.8.0", versionType: "semver", }, { lessThan: "3.22.4", status: "affected", version: "3.10.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Citi Cyber Security Operations", }, { lang: "en", type: "reporter", value: "Akamai Security Intelligence Group (SIG)", }, { lang: "en", type: "finder", value: "Mark Thorson of AT&T", }, { lang: "en", type: "reporter", value: "Mark Thorson of AT&T", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Bypass/Injection vulnerability in Apache Camel.</p><p>This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4.</p><p>Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.</p><p>This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component.</p><p>If you have Camel applications that are directly connected to the internet via HTTP, then an attacker <span style=\"background-color: rgb(255, 255, 255);\">could include parameters in the HTTP requests that are sent to the Camel application that get translated into headers.</span> </p><p>The headers could be both provided as request parameters for an HTTP methods invocation or as part of the payload of the HTTP methods invocation.</p><p><span style=\"background-color: var(--wht);\">All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.</span></p><span style=\"background-color: rgb(255, 255, 255);\">This CVE is related to the CVE-2025-27636: while they have the same root cause and are fixed with the same fix, CVE-2025-27636 was assumed to only be exploitable if an attacker could add malicious HTTP headers, while we have now determined that it is also exploitable via HTTP parameters. Like in CVE-2025-27636, exploitation is only possible if the Camel route uses particular vulnerable components.</span><p></p>", }, ], value: "Bypass/Injection vulnerability in Apache Camel.\n\nThis issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4.\n\nUsers are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.\n\nThis vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component.\n\nIf you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Camel application that get translated into headers. \n\nThe headers could be both provided as request parameters for an HTTP methods invocation or as part of the payload of the HTTP methods invocation.\n\nAll the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.\n\nThis CVE is related to the CVE-2025-27636: while they have the same root cause and are fixed with the same fix, CVE-2025-27636 was assumed to only be exploitable if an attacker could add malicious HTTP headers, while we have now determined that it is also exploitable via HTTP parameters. Like in CVE-2025-27636, exploitation is only possible if the Camel route uses particular vulnerable components.", }, ], metrics: [ { other: { content: { text: "important", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-164", description: "CWE-164 Improper Neutralization of Internal Special Elements", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-13T08:22:07.519Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "related", ], url: "https://camel.apache.org/security/CVE-2025-27636.html", }, { tags: [ "vendor-advisory", ], url: "https://camel.apache.org/security/CVE-2025-29891.html", }, ], source: { defect: [ "CAMEL-21828", ], discovery: "UNKNOWN", }, title: "Apache Camel: Camel Message Header Injection through request parameters", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2025-29891", datePublished: "2025-03-12T14:42:59.644Z", dateReserved: "2025-03-12T08:48:54.633Z", dateUpdated: "2025-03-19T13:10:01.834Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-3159
Vulnerability from cvelistv5
Published
2017-03-07 15:00
Modified
2024-08-05 14:16
Severity ?
EPSS score ?
Summary
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2017:0868 | vendor-advisory, x_refsource_REDHAT | |
| https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true | x_refsource_MISC | |
| http://www.securityfocus.com/bid/96321 | vdb-entry, x_refsource_BID | |
| http://www.openwall.com/lists/oss-security/2017/05/22/2 | mailing-list, x_refsource_MLIST | |
| http://camel.apache.org/security-advisories.data/CVE-2017-3159.txt.asc?version=1&modificationDate=1486565167000&api=v2 | x_refsource_CONFIRM | |
| https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Camel |
Version: 2.17.0 to 2.17.4 Version: 2.18.0 to 2.18.1 Version: The unsupported Camel 2.x (2.14 and earlier) versions may be also affected. |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T14:16:28.249Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2017:0868", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:0868", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true", }, { name: "96321", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/96321", }, { name: "[oss-security] 20170522 Code Execution through a variety Java (Un-)Marshallers", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2017/05/22/2", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://camel.apache.org/security-advisories.data/CVE-2017-3159.txt.asc?version=1&modificationDate=1486565167000&api=v2", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Camel", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "2.17.0 to 2.17.4", }, { status: "affected", version: "2.18.0 to 2.18.1", }, { status: "affected", version: "The unsupported Camel 2.x (2.14 and earlier) versions may be also affected.", }, ], }, ], datePublic: "2017-03-07T00:00:00", descriptions: [ { lang: "en", value: "Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws.", }, ], problemTypes: [ { descriptions: [ { description: "Java deserialization", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-05-24T10:06:03", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "RHSA-2017:0868", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:0868", }, { tags: [ "x_refsource_MISC", ], url: "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true", }, { name: "96321", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/96321", }, { name: "[oss-security] 20170522 Code Execution through a variety Java (Un-)Marshallers", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2017/05/22/2", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://camel.apache.org/security-advisories.data/CVE-2017-3159.txt.asc?version=1&modificationDate=1486565167000&api=v2", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2017-3159", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Camel", version: { version_data: [ { version_value: "2.17.0 to 2.17.4", }, { version_value: "2.18.0 to 2.18.1", }, { version_value: "The unsupported Camel 2.x (2.14 and earlier) versions may be also affected.", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Java deserialization", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2017:0868", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:0868", }, { name: "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true", refsource: "MISC", url: "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true", }, { name: "96321", refsource: "BID", url: "http://www.securityfocus.com/bid/96321", }, { name: "[oss-security] 20170522 Code Execution through a variety Java (Un-)Marshallers", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2017/05/22/2", }, { name: "http://camel.apache.org/security-advisories.data/CVE-2017-3159.txt.asc?version=1&modificationDate=1486565167000&api=v2", refsource: "CONFIRM", url: "http://camel.apache.org/security-advisories.data/CVE-2017-3159.txt.asc?version=1&modificationDate=1486565167000&api=v2", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2017-3159", datePublished: "2017-03-07T15:00:00", dateReserved: "2016-12-05T00:00:00", dateUpdated: "2024-08-05T14:16:28.249Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-12634
Vulnerability from cvelistv5
Published
2017-11-15 15:00
Modified
2024-09-16 18:43
Severity ?
EPSS score ?
Summary
The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2018:0319 | vendor-advisory, x_refsource_REDHAT | |
| http://www.securityfocus.com/bid/101876 | vdb-entry, x_refsource_BID | |
| https://issues.apache.org/jira/browse/CAMEL-11929 | x_refsource_CONFIRM | |
| http://camel.apache.org/security-advisories.data/CVE-2017-12634.txt.asc | x_refsource_CONFIRM | |
| https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Camel |
Version: 2.19.0 to 2.19.3 Version: 2.20.0 Version: The unsupported Camel 2.x (2.18 and earlier) versions may be also affected. |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T18:43:56.451Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2018:0319", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:0319", }, { name: "101876", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/101876", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://issues.apache.org/jira/browse/CAMEL-11929", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://camel.apache.org/security-advisories.data/CVE-2017-12634.txt.asc", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Camel", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "2.19.0 to 2.19.3", }, { status: "affected", version: "2.20.0", }, { status: "affected", version: "The unsupported Camel 2.x (2.18 and earlier) versions may be also affected.", }, ], }, ], datePublic: "2017-11-15T00:00:00", descriptions: [ { lang: "en", value: "The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.", }, ], problemTypes: [ { descriptions: [ { description: "Apache Camel's Castor unmarshalling operation is vulnerable to Remote Code Execution attacks", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-05-24T10:06:03", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "RHSA-2018:0319", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:0319", }, { name: "101876", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/101876", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://issues.apache.org/jira/browse/CAMEL-11929", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://camel.apache.org/security-advisories.data/CVE-2017-12634.txt.asc", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", DATE_PUBLIC: "2017-11-15T00:00:00", ID: "CVE-2017-12634", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Camel", version: { version_data: [ { version_value: "2.19.0 to 2.19.3", }, { version_value: "2.20.0", }, { version_value: "The unsupported Camel 2.x (2.18 and earlier) versions may be also affected.", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Apache Camel's Castor unmarshalling operation is vulnerable to Remote Code Execution attacks", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2018:0319", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:0319", }, { name: "101876", refsource: "BID", url: "http://www.securityfocus.com/bid/101876", }, { name: "https://issues.apache.org/jira/browse/CAMEL-11929", refsource: "CONFIRM", url: "https://issues.apache.org/jira/browse/CAMEL-11929", }, { name: "http://camel.apache.org/security-advisories.data/CVE-2017-12634.txt.asc", refsource: "CONFIRM", url: "http://camel.apache.org/security-advisories.data/CVE-2017-12634.txt.asc", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2017-12634", datePublished: "2017-11-15T15:00:00Z", dateReserved: "2017-08-07T00:00:00", dateUpdated: "2024-09-16T18:43:28.109Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-8027
Vulnerability from cvelistv5
Published
2018-07-31 13:00
Modified
2024-09-16 19:25
Severity ?
EPSS score ?
Summary
Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/104933 | vdb-entry, x_refsource_BID | |
| https://lists.apache.org/thread.html/77f596fc63e63c2e9adcff3c34759b32c225cf0b582aedb755adaade%40%3Cdev.camel.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://camel.apache.org/security-advisories.data/CVE-2018-8027.txt.asc | x_refsource_CONFIRM | |
| https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Camel |
Version: 2.20.0 to 2.20.3 Version: 2.21.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T06:46:12.239Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "104933", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/104933", }, { name: "[camel-dev] 20180731 [SECURITY] New security advisory CVE-2018-8027 released for Apache Camel", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/77f596fc63e63c2e9adcff3c34759b32c225cf0b582aedb755adaade%40%3Cdev.camel.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://camel.apache.org/security-advisories.data/CVE-2018-8027.txt.asc", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Camel", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "2.20.0 to 2.20.3", }, { status: "affected", version: "2.21.0", }, ], }, ], datePublic: "2018-07-31T00:00:00", descriptions: [ { lang: "en", value: "Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.", }, ], problemTypes: [ { descriptions: [ { description: "XML External Entity", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-05-24T10:06:04", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "104933", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/104933", }, { name: "[camel-dev] 20180731 [SECURITY] New security advisory CVE-2018-8027 released for Apache Camel", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/77f596fc63e63c2e9adcff3c34759b32c225cf0b582aedb755adaade%40%3Cdev.camel.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://camel.apache.org/security-advisories.data/CVE-2018-8027.txt.asc", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", DATE_PUBLIC: "2018-07-31T00:00:00", ID: "CVE-2018-8027", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Camel", version: { version_data: [ { version_value: "2.20.0 to 2.20.3", }, { version_value: "2.21.0", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "XML External Entity", }, ], }, ], }, references: { reference_data: [ { name: "104933", refsource: "BID", url: "http://www.securityfocus.com/bid/104933", }, { name: "[camel-dev] 20180731 [SECURITY] New security advisory CVE-2018-8027 released for Apache Camel", refsource: "MLIST", url: "https://lists.apache.org/thread.html/77f596fc63e63c2e9adcff3c34759b32c225cf0b582aedb755adaade@%3Cdev.camel.apache.org%3E", }, { name: "http://camel.apache.org/security-advisories.data/CVE-2018-8027.txt.asc", refsource: "CONFIRM", url: "http://camel.apache.org/security-advisories.data/CVE-2018-8027.txt.asc", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2018-8027", datePublished: "2018-07-31T13:00:00Z", dateReserved: "2018-03-09T00:00:00", dateUpdated: "2024-09-16T19:25:52.726Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-22369
Vulnerability from cvelistv5
Published
2024-02-20 14:58
Modified
2024-11-05 19:47
Severity ?
EPSS score ?
Summary
Deserialization of Untrusted Data vulnerability in Apache Camel SQL ComponentThis issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.
Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/3dko781dy2gy5l3fs48p56fgp429yb0f | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Camel |
Version: 3.0.0 ≤ Version: 3.22.0 ≤ Version: 4.0.0 ≤ Version: 4.1.0 ≤ |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:apache:camel:3.0.0:-:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:3.22.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:4.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:4.1.0:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "camel", vendor: "apache", versions: [ { lessThan: "3.21.4", status: "affected", version: "3.0.0", versionType: "custom", }, { lessThan: "3.22.1", status: "affected", version: "3.22.0", versionType: "custom", }, { lessThan: "4.0.4", status: "affected", version: "4.0.0", versionType: "custom", }, { lessThan: "4.4.0", status: "affected", version: "4.1.0", versionType: "custom", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2024-22369", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-02-20T18:46:02.736351Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-11-05T19:47:09.797Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T22:43:34.477Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/3dko781dy2gy5l3fs48p56fgp429yb0f", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://repo.maven.apache.org/maven2", defaultStatus: "unaffected", packageName: "org.apache.camel:camel-sql", product: "Apache Camel", vendor: "Apache Software Foundation", versions: [ { lessThan: "3.21.4", status: "affected", version: "3.0.0", versionType: "semver", }, { lessThan: "3.22.1", status: "affected", version: "3.22.0", versionType: "semver", }, { lessThan: "4.0.4", status: "affected", version: "4.0.0", versionType: "semver", }, { lessThan: "4.4.0", status: "affected", version: "4.1.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Ziyang Chen from HuaWei Open Source Management Center", }, { lang: "en", type: "finder", value: "Pingtao Wei from HuaWei Open Source Management Center", }, { lang: "en", type: "finder", value: "Haoran Zhi from HuaWei Open Source Management Center", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Deserialization of Untrusted Data vulnerability in Apache Camel SQL Component<p>This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.</p><p>Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1</p>", }, ], value: "Deserialization of Untrusted Data vulnerability in Apache Camel SQL ComponentThis issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.\n\nUsers are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1\n\n", }, ], metrics: [ { other: { content: { text: "important", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-20T14:58:36.291Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/3dko781dy2gy5l3fs48p56fgp429yb0f", }, ], source: { advisory: "https://camel.apache.org/security/CVE-2024-22369.html", defect: [ "CAMEL-20303", ], discovery: "EXTERNAL", }, title: "Apache Camel: Camel-SQL: Unsafe Deserialization from JDBCAggregationRepository", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2024-22369", datePublished: "2024-02-20T14:58:36.291Z", dateReserved: "2024-01-09T09:46:19.456Z", dateUpdated: "2024-11-05T19:47:09.797Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
jvndb-2019-000027
Vulnerability from jvndb
Published
2019-05-22 14:37
Modified
2019-09-30 18:14
Severity ?
Summary
Apache Camel vulnerable to XML external entity injection (XXE)
Details
Apache Camel provided by The Apache Software Foundation contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library.
Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Camel |
{ "@rdf:about": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000027.html", "dc:date": "2019-09-30T18:14+09:00", "dcterms:issued": "2019-05-22T14:37+09:00", "dcterms:modified": "2019-09-30T18:14+09:00", description: "Apache Camel provided by The Apache Software Foundation contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library.\r\n\r\nTakayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.", link: "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000027.html", "sec:cpe": { "#text": "cpe:/a:apache:camel", "@product": "Apache Camel", "@vendor": "Apache Software Foundation", "@version": "2.2", }, "sec:cvss": [ { "@score": "5.0", "@severity": "Medium", "@type": "Base", "@vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "@version": "2.0", }, { "@score": "5.8", "@severity": "Medium", "@type": "Base", "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "@version": "3.0", }, ], "sec:identifier": "JVNDB-2019-000027", "sec:references": [ { "#text": "https://jvn.jp/en/jp/JVN71498764/index.html", "@id": "JVN#71498764", "@source": "JVN", }, { "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0188", "@id": "CVE-2019-0188", "@source": "CVE", }, { "#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-0188", "@id": "CVE-2019-0188", "@source": "NVD", }, { "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html", "@id": "CWE-Other", "@title": "No Mapping(CWE-Other)", }, ], title: "Apache Camel vulnerable to XML external entity injection (XXE)", }