CVE-2015-0264

CWE-611 — XML External Entity (XXE)7 documents7 sources

Severity

5.0MEDIUM

EPSS

2.0%

top 16.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Camel

Timeline

PublishedJun 3

Latest updateOct 16

Description

Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶Mavenorg.apache.camel:camel-core2.14.0 — 2.14.2+1

▶NVDapache/camel2.13.3+2

🔴Vulnerability Details

GHSA

Apache Camel allows remote actor to read arbitrary files via external entity in invalid XML string or GenericFile object↗2018-10-16

▶

OSV

Apache Camel allows remote actor to read arbitrary files via external entity in invalid XML string or GenericFile object↗2018-10-16

▶

CVEList

CVE-2015-0264: Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder↗2015-06-03

▶

📋Vendor Advisories

Red Hat

Camel: XXE via XPath expression evaluation↗2015-03-17

▶

Apache

Apache camel: CVE-2015-0264↗

▶

💬Community

Bugzilla

CVE-2015-0264 Camel: XXE via XPath expression evaluation↗2015-03-18

▶