CVSS: 9.8EPSS: 7%CPEs: 12EXPL: 1CVE-2016-8749 – camel-jacksonxml: Unmarshalling operation are vulnerable to RCE
https://notcve.org/view.php?id=CVE-2016-8749
28 Mar 2017 — Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. Apache Camel's Jackson y JacksonXML operación unmarshalling son vulnerables a ataques de ejecución remota de código. It was found that Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. Camel allows such a type through the 'CamelJacksonUnmarshalType' property. De-serializing untrusted data can lead to security flaws as demonstr... • http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc?version=2&modificationDate=1486565034000&api=v2 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.4EPSS: 0%CPEs: 10EXPL: 0CVE-2017-5643 – camel-core: Validation component vulnerable to SSRF via remote DTDs and XXE
https://notcve.org/view.php?id=CVE-2017-5643
16 Mar 2017 — Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE. Apache Camel's Validation Component es vulnerable contra ataques de SSRF a través de DTDs y XXE remotos. It was found that Apache Camel's validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entitie... • http://camel.apache.org/security-advisories.data/CVE-2017-5643.txt.asc?version=1&modificationDate=1489652454000&api=v2 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 2%CPEs: 3EXPL: 0CVE-2017-3159 – camel-snakeyaml: Unmarshalling operation is vulnerable to RCE
https://notcve.org/view.php?id=CVE-2017-3159
07 Mar 2017 — Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws. El componente camel-snakeyaml de Apache Camel es vulnerable a la vulnerabilidad de la deserialización de objetos Java. La deserialización de datos no confiables puede conducir a a fallos de seguridad. It was found that the camel-snakeyaml component is exploitable for code execution. • http://camel.apache.org/security-advisories.data/CVE-2017-3159.txt.asc?version=1&modificationDate=1486565167000&api=v2 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 3%CPEs: 2EXPL: 0CVE-2015-5344 – camel-xstream: Java object de-serialization vulnerability leads to RCE
https://notcve.org/view.php?id=CVE-2015-5344
01 Feb 2016 — The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request. El componente camel-xstream en Apache Camel en versiones anteriores a 2.15.5 y 2.16.x en versiones anteriores a 2.16.1 permite a atacantes remotos ejecutar comandos arbitrarios a través de un objeto Java serializado manipulado en una petición HTTP. It was found that Apache Camel's camel-xstream component was vulnerabl... • http://camel.apache.org/security-advisories.data/CVE-2015-5344.txt.asc • CWE-19: Data Processing Errors CWE-502: Deserialization of Untrusted Data •
CVSS: 8.1EPSS: 4%CPEs: 58EXPL: 0CVE-2015-5348 – Camel: Java object deserialisation in Jetty/Servlet
https://notcve.org/view.php?id=CVE-2015-5348
17 Dec 2015 — Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel routes, allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request. Apache Camel 2.6.x hasta la versión 2.14.x, 2.15.x en versiones anteriores a 2.15.5 y 2.16.x en versiones anteriores a 2.16.1, cuando se utiliza(1) camel-jetty o (2) camel-servlet como un consumidor en rutas Camel, permite a atacantes remot... • http://camel.apache.org/security-advisories.data/CVE-2015-5348.txt.asc • CWE-19: Data Processing Errors •
CVSS: 5.3EPSS: 2%CPEs: 3EXPL: 0CVE-2015-0263 – Camel: XXE in via SAXSource expansion
https://notcve.org/view.php?id=CVE-2015-0263
01 Jun 2015 — XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource. Vulnerabilidad de entidad externa XML (XXE) en el montaje del convertidor XML en converter/jaxp/XmlConverter.java en Apache Camel anterior a 2.13.4 y 2.14.x anterior a 2.14.2 p3ermite a atacantes remotos leer ficheros arbitrarios a través de una entidad externa en u... • http://rhn.redhat.com/errata/RHSA-2015-1041.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.3EPSS: 1%CPEs: 3EXPL: 0CVE-2015-0264 – Camel: XXE via XPath expression evaluation
https://notcve.org/view.php?id=CVE-2015-0264
01 Jun 2015 — Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query. Múltiples vulnerabilidades de entidad externa XML (XXE) en builder/xml/XPathBuilder.java en Apache Camel anterior a 2.13.4 y 2.14.x anterior a 2.14.2 permiten a atacantes remotos leer ficheros arbitrarios a través de una entidad ... • http://rhn.redhat.com/errata/RHSA-2015-1041.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 29%CPEs: 31EXPL: 1CVE-2014-0003 – Camel: remote code execution via XSL
https://notcve.org/view.php?id=CVE-2014-0003
02 Mar 2014 — The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java methods via a crafted message. El componente XSLT en Apache Camel 2.11.x anterior a 2.11.4, 2.12.x anterior a 2.12.3 y posiblemente versiones anteriores permite a atacantes remotos ejecutar métodos Java arbitrarios a través de un mensaje manipulado. Apache ActiveMQ provides a SOA infrastructure to connect processes across heterogeneous systems. A flaw... • http://camel.apache.org/security-advisories.data/CVE-2014-0003.txt.asc • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 34%CPEs: 31EXPL: 1CVE-2014-0002 – Camel: XML eXternal Entity (XXE) flaw in XSLT component
https://notcve.org/view.php?id=CVE-2014-0002
02 Mar 2014 — The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. El componente XSLT en Apache Camel anterior a 2.11.4 y 2.12.x anterior a 2.12.3 permite a atacantes remotos leer archivos arbitrarios y posiblemente tener otro impacto no especificado a través de u... • http://camel.apache.org/security-advisories.data/CVE-2014-0002.txt.asc • CWE-264: Permissions, Privileges, and Access Controls CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 17%CPEs: 51EXPL: 0CVE-2013-4330 – Camel: remote code execution via header field manipulation
https://notcve.org/view.php?id=CVE-2013-4330
30 Sep 2013 — Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arbitrary simple language expressions by including "$simple{}" in a CamelFileName message header to a (1) FILE or (2) FTP producer. Apache Camel anterior a la versión 2.9.7, 2.10.0 anterior a 2.10.7, 2.11.0 anterior a la versión 2.11.2, y 2.12.0 permite a atacantes remotos ejecutar expresiones de lenguaje arbitrarias incluyendo "$simple{}" en una cabecera del mensaje CamelFileName a un produc... • http://camel.apache.org/security-advisories.data/CVE-2013-4330.txt.asc?version=1&modificationDate=1380535446943 • CWE-94: Improper Control of Generation of Code ('Code Injection') •