CVE-2017-5643: SSRF
First published: Thu Mar 16 2017(Updated: )
Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.camel:camel-core | >=2.18.0<2.18.2 | 2.18.2 |
| maven/org.apache.camel:camel-core | <2.17.6 | 2.17.6 |
| redhat/camel-core | <2.17.6 | 2.17.6 |
| redhat/camel-core | <2.18.3 | 2.18.3 |
| Red Hat Build of Apache Camel | <=2.16.0 | |
| Red Hat Build of Apache Camel | =2.17.0 | |
| Red Hat Build of Apache Camel | =2.17.1 | |
| Red Hat Build of Apache Camel | =2.17.2 | |
| Red Hat Build of Apache Camel | =2.17.3 | |
| Red Hat Build of Apache Camel | =2.17.4 | |
| Red Hat Build of Apache Camel | =2.17.5 | |
| Red Hat Build of Apache Camel | =2.18.0 | |
| Red Hat Build of Apache Camel | =2.18.1 | |
| Red Hat Build of Apache Camel | =2.18.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2017-5643
- https://access.redhat.com/errata/RHSA-2017:1832
- https://github.com/advisories/GHSA-vq9j-jh62-5hmp (Advisory)
- https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E
- http://camel.apache.org/security-advisories.data/CVE-2017-5643.txt.asc?version=1&modificationDate=1489652454000&api=v2
- http://www.securityfocus.com/bid/97226
- https://github.com/apache/camel/commit/2c6964ae94d8f9a9c9a32e5ae5a0b794e8b8d3be
- https://github.com/apache/camel/commit/8afc5d1757795fde715902067360af5d90f046da
- https://github.com/apache/camel/commit/9f7376abbff7434794f2c7c2909e02bac232fb5b
- https://issues.apache.org/jira/browse/CAMEL-10894
- https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E
- https://camel.apache.org/security-advisories.data/CVE-2017-5643.txt
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://bugzilla.redhat.com/show_bug.cgi?id=1433374
Frequently Asked Questions
What is the severity of CVE-2017-5643?
CVE-2017-5643 has a moderate severity level due to its potential exploitation via Server-Side Request Forgery (SSRF) using remote DTDs and XML External Entity (XXE).
How do I fix CVE-2017-5643?
To fix CVE-2017-5643, upgrade Apache Camel to version 2.18.2 or 2.17.6 or later.
Which versions are affected by CVE-2017-5643?
CVE-2017-5643 affects various versions of Apache Camel, specifically versions prior to 2.17.6 and 2.18.2.
What kind of attacks can exploit CVE-2017-5643?
CVE-2017-5643 allows attackers to exploit SSRF vulnerabilities through remote DTDs and perform XXE attacks.
Is there a specific version of Apache Camel that is a safe upgrade for CVE-2017-5643?
Yes, upgrading to Apache Camel version 2.18.2 or 2.17.6 or their later versions mitigates the risk associated with CVE-2017-5643.
- collector/github-advisory-latest
- alias/GHSA-vq9j-jh62-5hmp
- alias/CVE-2017-5643
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/references
- agent/severity
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/event
- agent/description
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/author
- package-manager/maven
- package-manager/redhat
- vendor/apache
- canonical/red hat build of apache camel
- version/red hat build of apache camel/2.16.0
- version/red hat build of apache camel/2.17.0
- version/red hat build of apache camel/2.17.1
- version/red hat build of apache camel/2.17.2
- version/red hat build of apache camel/2.17.3
- version/red hat build of apache camel/2.17.4
- version/red hat build of apache camel/2.17.5
- version/red hat build of apache camel/2.18.0
- version/red hat build of apache camel/2.18.1
- version/red hat build of apache camel/2.18.2