CVE-2015-0264
First published: Wed Jun 03 2015(Updated: )
Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.camel:camel-core | >=2.14.0<2.14.2 | 2.14.2 |
| maven/org.apache.camel:camel-core | <2.13.4 | 2.13.4 |
| Red Hat Build of Apache Camel | <=2.13.3 | |
| Red Hat Build of Apache Camel | =2.14.0 | |
| Red Hat Build of Apache Camel | =2.14.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://rhn.redhat.com/errata/RHSA-2015-1041.html
- http://rhn.redhat.com/errata/RHSA-2015-1538.html
- http://rhn.redhat.com/errata/RHSA-2015-1539.html
- http://securitytracker.com/id/1032442
- https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc
- https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=1df559649a96a1ca0368373387e542f46e4820da
- https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2015-0264
- https://github.com/advisories/GHSA-mhx2-r3jx-g94c (Advisory)
- https://github.com/apache/camel/commit/7360aada5154434c68774aa30e0f21ddc5f27b9f
- https://github.com/apache/camel/commit/b47b51a195b38e7ab7c099d19910af70a16638f6
- https://issues.apache.org/jira/browse/CAMEL-8312
- https://git-wip-us.apache.org/repos/asf?p=camel.git%3Ba=commitdiff%3Bh=1df559649a96a1ca0368373387e542f46e4820da
- https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E
Frequently Asked Questions
What is the severity of CVE-2015-0264?
CVE-2015-0264 is classified as a medium severity vulnerability due to its potential to allow unauthorized file access.
How do I fix CVE-2015-0264?
To fix CVE-2015-0264, update Apache Camel to version 2.13.4 or 2.14.2 or later.
What are the affected versions for CVE-2015-0264?
Affected versions of Apache Camel include versions prior to 2.13.4 and 2.14.0 through 2.14.1.
What are the consequences of exploiting CVE-2015-0264?
Exploitation of CVE-2015-0264 allows attackers to read arbitrary files on the server by manipulating XML input.
Does CVE-2015-0264 affect all users of Apache Camel?
CVE-2015-0264 specifically affects users of Apache Camel versions 2.13.3 and below, and 2.14.0 and 2.14.1.
- collector/github-advisory-latest
- alias/GHSA-mhx2-r3jx-g94c
- alias/CVE-2015-0264
- collector/github-advisory
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/references
- agent/description
- agent/event
- agent/first-publish-date
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- agent/author
- package-manager/maven
- vendor/apache
- canonical/red hat build of apache camel
- version/red hat build of apache camel/2.13.3
- version/red hat build of apache camel/2.14.0
- version/red hat build of apache camel/2.14.1