| title | url | date | draft | type | cve | severity | summary | description | mitigation | credit | affected | fixed |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Apache Camel Security Advisory - CVE-2017-5643 |
/security/CVE-2017-5643.html |
2017-03-16 04:59:00 -0700 |
false |
security-advisory |
CVE-2017-5643 |
MEDIUM |
Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE |
The Validation Component of Apache Camel evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). The vulnerability is not given for SAX or StAX sources. |
2.17.x users should upgrade to 2.17.6, 2.18.x users should upgrade to 2.18.3. |
This issue was discovered by Franz Forsthofer |
2.17.0 up to 2.17.5, 2.18.0 up to 2.18.2 |
2.17.6, 2.18.3 and newer |
The JIRA tickets https://issues.apache.org/jira/browse/CAMEL-10894 refers to the various commits that resolved the issue, and have more details.