CVE-2014-0003
First published: Wed Jan 08 2014(Updated: )
It was found that the Apache Camel XSLT component allowed XSL stylesheets to perform calls to external Java methods. A remote attacker able to submit messages to an xslt: Camel route could use this flaw to perform arbitrary remote code execution in the context of the Camel server process.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.camel:camel-core | >=2.12.0<2.12.3 | 2.12.3 |
| maven/org.apache.camel:camel-core | >=2.11.0<2.11.4 | 2.11.4 |
| Red Hat Build of Apache Camel | <=2.11.3 | |
| Red Hat Build of Apache Camel | =1.0.0 | |
| Red Hat Build of Apache Camel | =1.1.0 | |
| Red Hat Build of Apache Camel | =1.2.0 | |
| Red Hat Build of Apache Camel | =1.3.0 | |
| Red Hat Build of Apache Camel | =1.4.0 | |
| Red Hat Build of Apache Camel | =1.5.0 | |
| Red Hat Build of Apache Camel | =1.6.0 | |
| Red Hat Build of Apache Camel | =1.6.1 | |
| Red Hat Build of Apache Camel | =1.6.2 | |
| Red Hat Build of Apache Camel | =1.6.3 | |
| Red Hat Build of Apache Camel | =1.6.4 | |
| Red Hat Build of Apache Camel | =2.0.0 | |
| Red Hat Build of Apache Camel | =2.0.0-milestone1 | |
| Red Hat Build of Apache Camel | =2.0.0-milestone2 | |
| Red Hat Build of Apache Camel | =2.0.0-milestone3 | |
| Red Hat Build of Apache Camel | =2.1.0 | |
| Red Hat Build of Apache Camel | =2.10.0 | |
| Red Hat Build of Apache Camel | =2.10.1 | |
| Red Hat Build of Apache Camel | =2.10.2 | |
| Red Hat Build of Apache Camel | =2.10.3 | |
| Red Hat Build of Apache Camel | =2.10.4 | |
| Red Hat Build of Apache Camel | =2.10.5 | |
| Red Hat Build of Apache Camel | =2.10.6 | |
| Red Hat Build of Apache Camel | =2.10.7 | |
| Red Hat Build of Apache Camel | =2.11.0 | |
| Red Hat Build of Apache Camel | =2.11.1 | |
| Red Hat Build of Apache Camel | =2.11.2 | |
| Red Hat Build of Apache Camel | =2.12.0 | |
| Red Hat Build of Apache Camel | =2.12.1 | |
| Red Hat Build of Apache Camel | =2.12.2 | |
| <=2.11.3 | ||
| =1.0.0 | ||
| =1.1.0 | ||
| =1.2.0 | ||
| =1.3.0 | ||
| =1.4.0 | ||
| =1.5.0 | ||
| =1.6.0 | ||
| =1.6.1 | ||
| =1.6.2 | ||
| =1.6.3 | ||
| =1.6.4 | ||
| =2.0.0 | ||
| =2.0.0-milestone1 | ||
| =2.0.0-milestone2 | ||
| =2.0.0-milestone3 | ||
| =2.1.0 | ||
| =2.10.0 | ||
| =2.10.1 | ||
| =2.10.2 | ||
| =2.10.3 | ||
| =2.10.4 | ||
| =2.10.5 | ||
| =2.10.6 | ||
| =2.10.7 | ||
| =2.11.0 | ||
| =2.11.1 | ||
| =2.11.2 | ||
| =2.12.0 | ||
| =2.12.1 | ||
| =2.12.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://issues.apache.org/jira/browse/CAMEL-7123
- https://issues.apache.org/jira/browse/CAMEL-7129
- https://fisheye6.atlassian.com/changelog/camel-git?cs=e922f89290f236f3107039de61af0375826bd96d
- https://fisheye6.atlassian.com/changelog/camel-git?cs=2639264b28940683dfc808bf8edfb41bbceb7ad7
- https://fisheye6.atlassian.com/changelog/camel-git?cs=341d4e6cca71c53c90962d1c3d45fc9e05cc50c6
- http://camel.apache.org/security-advisories.data/CVE-2014-0003.txt.asc
- https://rhn.redhat.com/errata/RHSA-2014-0245.html
- https://rhn.redhat.com/errata/RHSA-2014-0254.html
- https://rhn.redhat.com/errata/RHSA-2014-0323.html
- https://rhn.redhat.com/errata/RHSA-2014-0371.html
- https://rhn.redhat.com/errata/RHSA-2014-0372.html
- https://rhn.redhat.com/errata/RHSA-2014-0452.html
- https://rhn.redhat.com/errata/RHSA-2014-0459.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1049692
- http://rhn.redhat.com/errata/RHSA-2014-0245.html
- http://rhn.redhat.com/errata/RHSA-2014-0254.html
- http://rhn.redhat.com/errata/RHSA-2014-0371.html
- http://rhn.redhat.com/errata/RHSA-2014-0372.html
- http://secunia.com/advisories/57125
- http://secunia.com/advisories/57716
- http://secunia.com/advisories/57719
- http://www.securityfocus.com/bid/65902
- https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2014-0003
- https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E
- https://web.archive.org/web/20200229061309/http://www.securityfocus.com/bid/65902
- https://github.com/apache/camel/commit/483b445dc77487e2d0f3d8c8bf1a7bbab04464c
- https://github.com/apache/camel/commit/c6de749e9b3c7b61861c5480e91550290585224
- https://github.com/apache/camel/commit/e922f89290f236f3107039de61af0375826bd96d
- https://github.com/advisories/GHSA-h6rp-8v4j-hwph (Advisory)
Frequently Asked Questions
What is the severity of CVE-2014-0003?
The severity of CVE-2014-0003 is considered critical due to the potential for arbitrary remote code execution.
How do I fix CVE-2014-0003?
To fix CVE-2014-0003, upgrade Apache Camel to version 2.11.4 or higher, or to version 2.12.3 or higher.
Which versions of Apache Camel are affected by CVE-2014-0003?
CVE-2014-0003 affects Apache Camel versions 1.0.0 up to and including 2.11.3.
What type of vulnerability is CVE-2014-0003?
CVE-2014-0003 is a remote code execution vulnerability that allows attackers to execute arbitrary code on the server.
Can CVE-2014-0003 be exploited remotely?
Yes, CVE-2014-0003 can be exploited remotely by an attacker who can submit messages to an XSLT Camel route.
- collector/redhat-bugzilla
- alias/CVE-2014-0003
- collector/github-advisory-latest
- alias/GHSA-h6rp-8v4j-hwph
- collector/github-advisory
- agent/references
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/description
- agent/trending
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- agent/author
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- agent/event
- package-manager/maven
- vendor/apache
- canonical/red hat build of apache camel
- version/red hat build of apache camel/2.11.3
- version/red hat build of apache camel/1.0.0
- version/red hat build of apache camel/1.1.0
- version/red hat build of apache camel/1.2.0
- version/red hat build of apache camel/1.3.0
- version/red hat build of apache camel/1.4.0
- version/red hat build of apache camel/1.5.0
- version/red hat build of apache camel/1.6.0
- version/red hat build of apache camel/1.6.1
- version/red hat build of apache camel/1.6.2
- version/red hat build of apache camel/1.6.3
- version/red hat build of apache camel/1.6.4
- version/red hat build of apache camel/2.0.0
- version/red hat build of apache camel/2.0.0-milestone1
- version/red hat build of apache camel/2.0.0-milestone2
- version/red hat build of apache camel/2.0.0-milestone3
- version/red hat build of apache camel/2.1.0
- version/red hat build of apache camel/2.10.0
- version/red hat build of apache camel/2.10.1
- version/red hat build of apache camel/2.10.2
- version/red hat build of apache camel/2.10.3
- version/red hat build of apache camel/2.10.4
- version/red hat build of apache camel/2.10.5
- version/red hat build of apache camel/2.10.6
- version/red hat build of apache camel/2.10.7
- version/red hat build of apache camel/2.11.0
- version/red hat build of apache camel/2.11.1
- version/red hat build of apache camel/2.11.2
- version/red hat build of apache camel/2.12.0
- version/red hat build of apache camel/2.12.1
- version/red hat build of apache camel/2.12.2