Page 2 of 13 results (0.006 seconds)

CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0

Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws. El componente camel-snakeyaml de Apache Camel es vulnerable a la vulnerabilidad de la deserialización de objetos Java. La deserialización de datos no confiables puede conducir a a fallos de seguridad. It was found that the camel-snakeyaml component is exploitable for code execution. • http://camel.apache.org/security-advisories.data/CVE-2017-3159.txt.asc?version=1&modificationDate=1486565167000&api=v2 http://www.openwall.com/lists/oss-security/2017/05/22/2 http://www.securityfocus.com/bid/96321 https://access.redhat.com/errata/RHSA-2017:0868 https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E https://www.gi • CWE-502: Deserialization of Untrusted Data •

CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 0

The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request. El componente camel-xstream en Apache Camel en versiones anteriores a 2.15.5 y 2.16.x en versiones anteriores a 2.16.1 permite a atacantes remotos ejecutar comandos arbitrarios a través de un objeto Java serializado manipulado en una petición HTTP. It was found that Apache Camel's camel-xstream component was vulnerable to Java object deserialization. This vulnerability permits deserialization of data which could lead to information disclosure, code execution, or other possible attacks. • http://camel.apache.org/security-advisories.data/CVE-2015-5344.txt.asc http://rhn.redhat.com/errata/RHSA-2016-2035.html http://www.securityfocus.com/archive/1/537414/100/0/threaded http://www.securityfocus.com/bid/82260 https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E https://access.redhat.com/security/cve/CVE-2015-5344& • CWE-19: Data Processing Errors CWE-502: Deserialization of Untrusted Data •

CVSS: 8.1EPSS: 0%CPEs: 58EXPL: 0

Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel routes, allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request. Apache Camel 2.6.x hasta la versión 2.14.x, 2.15.x en versiones anteriores a 2.15.5 y 2.16.x en versiones anteriores a 2.16.1, cuando se utiliza(1) camel-jetty o (2) camel-servlet como un consumidor en rutas Camel, permite a atacantes remotos ejecutar comandos arbitrarios a través de un objeto Java serializado manipulado en una petición HTTP. It was found that Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability. If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatically de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object. • http://camel.apache.org/security-advisories.data/CVE-2015-5348.txt.asc http://packetstormsecurity.com/files/134946/Apache-Camel-Java-Object-Deserialization.html http://rhn.redhat.com/errata/RHSA-2016-2035.html http://www.securityfocus.com/archive/1/537147/100/0/threaded http://www.securityfocus.com/bid/80696 https://issues.apache.org/jira/browse/CAMEL-9309 https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E https://lists.apache.org&# • CWE-19: Data Processing Errors •

CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0

XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource. Vulnerabilidad de entidad externa XML (XXE) en el montaje del convertidor XML en converter/jaxp/XmlConverter.java en Apache Camel anterior a 2.13.4 y 2.14.x anterior a 2.14.2 p3ermite a atacantes remotos leer ficheros arbitrarios a través de una entidad externa en una SAXSource. It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. • http://rhn.redhat.com/errata/RHSA-2015-1041.html http://rhn.redhat.com/errata/RHSA-2015-1538.html http://rhn.redhat.com/errata/RHSA-2015-1539.html http://www.securitytracker.com/id/1032442 https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc https://git-wip-us.apache.org/repos/asf?p=camel.git%3Ba=commitdiff%3Bh=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36 https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E https://li • CWE-611: Improper Restriction of XML External Entity Reference •

CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0

Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query. Múltiples vulnerabilidades de entidad externa XML (XXE) en builder/xml/XPathBuilder.java en Apache Camel anterior a 2.13.4 y 2.14.x anterior a 2.14.2 permiten a atacantes remotos leer ficheros arbitrarios a través de una entidad externa en un objeto XML (1) String o (2) GenericFile inválido en una consulta XPath. It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. • http://rhn.redhat.com/errata/RHSA-2015-1041.html http://rhn.redhat.com/errata/RHSA-2015-1538.html http://rhn.redhat.com/errata/RHSA-2015-1539.html http://securitytracker.com/id/1032442 https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc https://git-wip-us.apache.org/repos/asf?p=camel.git%3Ba=commitdiff%3Bh=1df559649a96a1ca0368373387e542f46e4820da https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E https://lists. • CWE-611: Improper Restriction of XML External Entity Reference •