CVE-2014-0002
First published: Wed Jan 08 2014(Updated: )
It was found that the Apache Camel XSLT component would resolve entities in XML messages when transforming them using an xslt: route. A remote attacker able to submit messages to an xslt: Camel route could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.camel:camel-core | >=2.12.0<2.12.3 | 2.12.3 |
| maven/org.apache.camel:camel-core | <2.11.4 | 2.11.4 |
| Red Hat Build of Apache Camel | <=2.11.3 | |
| Red Hat Build of Apache Camel | =1.0.0 | |
| Red Hat Build of Apache Camel | =1.1.0 | |
| Red Hat Build of Apache Camel | =1.2.0 | |
| Red Hat Build of Apache Camel | =1.3.0 | |
| Red Hat Build of Apache Camel | =1.4.0 | |
| Red Hat Build of Apache Camel | =1.5.0 | |
| Red Hat Build of Apache Camel | =1.6.0 | |
| Red Hat Build of Apache Camel | =1.6.1 | |
| Red Hat Build of Apache Camel | =1.6.2 | |
| Red Hat Build of Apache Camel | =1.6.3 | |
| Red Hat Build of Apache Camel | =1.6.4 | |
| Red Hat Build of Apache Camel | =2.0.0 | |
| Red Hat Build of Apache Camel | =2.0.0-milestone1 | |
| Red Hat Build of Apache Camel | =2.0.0-milestone2 | |
| Red Hat Build of Apache Camel | =2.0.0-milestone3 | |
| Red Hat Build of Apache Camel | =2.1.0 | |
| Red Hat Build of Apache Camel | =2.10.0 | |
| Red Hat Build of Apache Camel | =2.10.1 | |
| Red Hat Build of Apache Camel | =2.10.2 | |
| Red Hat Build of Apache Camel | =2.10.3 | |
| Red Hat Build of Apache Camel | =2.10.4 | |
| Red Hat Build of Apache Camel | =2.10.5 | |
| Red Hat Build of Apache Camel | =2.10.6 | |
| Red Hat Build of Apache Camel | =2.10.7 | |
| Red Hat Build of Apache Camel | =2.11.0 | |
| Red Hat Build of Apache Camel | =2.11.1 | |
| Red Hat Build of Apache Camel | =2.11.2 | |
| Red Hat Build of Apache Camel | =2.12.0 | |
| Red Hat Build of Apache Camel | =2.12.1 | |
| Red Hat Build of Apache Camel | =2.12.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://issues.apache.org/jira/browse/CAMEL-7130
- https://fisheye6.atlassian.com/changelog/camel-git?cs=7c9326f4962cdad97d5de89cfb4483e04cab1d35
- https://fisheye6.atlassian.com/changelog/camel-git?cs=cc192f87b7c4a43c6cff0646486384c9946e2ac9
- http://camel.apache.org/security-advisories.data/CVE-2014-0002.txt.asc
- https://rhn.redhat.com/errata/RHSA-2014-0323.html
- https://rhn.redhat.com/errata/RHSA-2014-0371.html
- https://rhn.redhat.com/errata/RHSA-2014-0372.html
- https://rhn.redhat.com/errata/RHSA-2014-0452.html
- https://rhn.redhat.com/errata/RHSA-2014-0459.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1049675
- http://rhn.redhat.com/errata/RHSA-2014-0371.html
- http://rhn.redhat.com/errata/RHSA-2014-0372.html
- http://secunia.com/advisories/57125
- http://secunia.com/advisories/57716
- http://secunia.com/advisories/57719
- http://www.securityfocus.com/bid/65901
- https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2014-0002
- https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E
- https://web.archive.org/web/20200229061309/http://www.securityfocus.com/bid/65901
- https://github.com/apache/camel/commit/2ec54fa0c13ae65bdcccff764af081a79fcc05f
- https://github.com/apache/camel/commit/341d4e6cca71c53c90962d1c3d45fc9e05cc50c6
- https://github.com/apache/camel/commit/54b65c1d30848835f26bd138c0ba407bc1e560d
- https://issues.apache.org/jira/browse/CAMEL-7129
- https://github.com/advisories/GHSA-2fw5-rvf2-jq56 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2014-0002?
CVE-2014-0002 is classified as a critical vulnerability because it allows remote attackers to read arbitrary files on the server.
How do I fix CVE-2014-0002?
To address CVE-2014-0002, upgrade the Apache Camel software to version 2.11.4 or 2.12.3 or later.
Which versions of Apache Camel are affected by CVE-2014-0002?
CVE-2014-0002 affects Apache Camel versions up to and including 2.11.3 and versions 1.0.0 through 2.11.3.
What types of attacks can exploit CVE-2014-0002?
CVE-2014-0002 can be exploited by an attacker who can submit XML messages to an xslt: route, leading to potential file disclosure.
Are there any mitigations for CVE-2014-0002?
There are no specific mitigations; the best practice is to apply the fix by upgrading to the recommended versions.
- collector/redhat-bugzilla
- alias/CVE-2014-0002
- collector/github-advisory-latest
- alias/GHSA-2fw5-rvf2-jq56
- collector/github-advisory
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/references
- agent/event
- agent/description
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- agent/author
- package-manager/maven
- vendor/apache
- canonical/red hat build of apache camel
- version/red hat build of apache camel/2.11.3
- version/red hat build of apache camel/1.0.0
- version/red hat build of apache camel/1.1.0
- version/red hat build of apache camel/1.2.0
- version/red hat build of apache camel/1.3.0
- version/red hat build of apache camel/1.4.0
- version/red hat build of apache camel/1.5.0
- version/red hat build of apache camel/1.6.0
- version/red hat build of apache camel/1.6.1
- version/red hat build of apache camel/1.6.2
- version/red hat build of apache camel/1.6.3
- version/red hat build of apache camel/1.6.4
- version/red hat build of apache camel/2.0.0
- version/red hat build of apache camel/2.0.0-milestone1
- version/red hat build of apache camel/2.0.0-milestone2
- version/red hat build of apache camel/2.0.0-milestone3
- version/red hat build of apache camel/2.1.0
- version/red hat build of apache camel/2.10.0
- version/red hat build of apache camel/2.10.1
- version/red hat build of apache camel/2.10.2
- version/red hat build of apache camel/2.10.3
- version/red hat build of apache camel/2.10.4
- version/red hat build of apache camel/2.10.5
- version/red hat build of apache camel/2.10.6
- version/red hat build of apache camel/2.10.7
- version/red hat build of apache camel/2.11.0
- version/red hat build of apache camel/2.11.1
- version/red hat build of apache camel/2.11.2
- version/red hat build of apache camel/2.12.0
- version/red hat build of apache camel/2.12.1
- version/red hat build of apache camel/2.12.2