Apache Camel vulnerabilities

CVE-2016-8749 [CRITICAL] CWE-502 CVE-2016-8749: Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Executio Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.

CVE-2017-5643 [HIGH] CWE-918 CVE-2017-5643: Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE. Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.

CVE-2017-3159 [CRITICAL] CWE-502 CVE-2017-3159: Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws.

CVE-2015-5348 [HIGH] CWE-19 CVE-2015-5348: Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) ca Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel routes, allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.

CVE-2015-5344 [CRITICAL] CWE-19 CVE-2015-5344: The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote atta The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.

CVE-2015-0264 [MEDIUM] CVE-2015-0264: Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query.

CVE-2015-0263 [MEDIUM] CVE-2015-0263: XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.ja XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.

CVE-2014-0003 [HIGH] CWE-264 CVE-2014-0003: The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java methods via a crafted message.

CVE-2014-0002 [HIGH] CWE-264 CVE-2014-0002: The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

CVE-2013-4330 [MEDIUM] CWE-94 CVE-2013-4330: Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote atta Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arbitrary simple language expressions by including "$simple{}" in a CamelFileName message header to a (1) FILE or (2) FTP producer.