-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2017-5643.txt.asc
30 lines (21 loc) · 1.48 KB
/
CVE-2017-5643.txt.asc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2017-5643: Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.
Severity: MEDIUM
Vendor: The Apache Software Foundation
Versions Affected: Camel 2.17.0 to 2.17.5, Camel 2.18.0 to 2.18.2
The unsupported Camel 2.x (2.16 and earlier) versions may be also affected.
Description: The Validation Component of Apache Camel evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). The vulnerability is not given for SAX or StAX sources.
Mitigation: 2.17.x users should upgrade to 2.17.6, 2.18.x users should upgrade to 2.18.3.
The JIRA tickets https://issues.apache.org/jira/browse/CAMEL-10894 refers to the various commits that resolved the issue, and have more details.
Credit: This issue was discovered by Franz Forsthofer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQEcBAEBAgAGBQJYykp3AAoJEONOnzgC/0EAW1IH+gK4vn5vD+Nve0BWGjMwi7ja
37HH89UdViakH44YBhUObxXrZ+zAJ53fSuXhorcH8zT8hSdgIhuSkhvMKfWfSr5t
pVAh2sNLO8Mnpv/8K2HZ8QVL5RuaYdDcI19TAYO2iSrxI+PX8P3SGqbBmNu1c6E3
0uVJSCcBscvSporgXdNi4+Oh8YpuuQAmocHbUJf+kK8Sc/Z7rTlMzCJwORvuoekM
0HDC+bfhNgoBU/k6qclTxTEbxMByDX354go/fz8RB/VKzaLuT8UcMp5rvgIYBJTs
kT6K2NchfXIMo8Zmq2iq3QfabtuXgsJtUjYRFHasrFSvrzoqzXpoaTE1XCFgobE=
=BTx+
-----END PGP SIGNATURE-----