CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 0CVE-2015-5344 – camel-xstream: Java object de-serialization vulnerability leads to RCE
https://notcve.org/view.php?id=CVE-2015-5344
The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request. El componente camel-xstream en Apache Camel en versiones anteriores a 2.15.5 y 2.16.x en versiones anteriores a 2.16.1 permite a atacantes remotos ejecutar comandos arbitrarios a través de un objeto Java serializado manipulado en una petición HTTP. It was found that Apache Camel's camel-xstream component was vulnerable to Java object deserialization. This vulnerability permits deserialization of data which could lead to information disclosure, code execution, or other possible attacks. • http://camel.apache.org/security-advisories.data/CVE-2015-5344.txt.asc http://rhn.redhat.com/errata/RHSA-2016-2035.html http://www.securityfocus.com/archive/1/537414/100/0/threaded http://www.securityfocus.com/bid/82260 https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E https://access.redhat.com/security/cve/CVE-2015-5344& • CWE-19: Data Processing Errors CWE-502: Deserialization of Untrusted Data •
CVSS: 8.1EPSS: 0%CPEs: 58EXPL: 0CVE-2015-5348 – Camel: Java object deserialisation in Jetty/Servlet
https://notcve.org/view.php?id=CVE-2015-5348
Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel routes, allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request. Apache Camel 2.6.x hasta la versión 2.14.x, 2.15.x en versiones anteriores a 2.15.5 y 2.16.x en versiones anteriores a 2.16.1, cuando se utiliza(1) camel-jetty o (2) camel-servlet como un consumidor en rutas Camel, permite a atacantes remotos ejecutar comandos arbitrarios a través de un objeto Java serializado manipulado en una petición HTTP. It was found that Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability. If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatically de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object. • http://camel.apache.org/security-advisories.data/CVE-2015-5348.txt.asc http://packetstormsecurity.com/files/134946/Apache-Camel-Java-Object-Deserialization.html http://rhn.redhat.com/errata/RHSA-2016-2035.html http://www.securityfocus.com/archive/1/537147/100/0/threaded http://www.securityfocus.com/bid/80696 https://issues.apache.org/jira/browse/CAMEL-9309 https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E https://lists.apache.org&# • CWE-19: Data Processing Errors •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2015-0263 – Camel: XXE in via SAXSource expansion
https://notcve.org/view.php?id=CVE-2015-0263
XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource. Vulnerabilidad de entidad externa XML (XXE) en el montaje del convertidor XML en converter/jaxp/XmlConverter.java en Apache Camel anterior a 2.13.4 y 2.14.x anterior a 2.14.2 p3ermite a atacantes remotos leer ficheros arbitrarios a través de una entidad externa en una SAXSource. It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. • http://rhn.redhat.com/errata/RHSA-2015-1041.html http://rhn.redhat.com/errata/RHSA-2015-1538.html http://rhn.redhat.com/errata/RHSA-2015-1539.html http://www.securitytracker.com/id/1032442 https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc https://git-wip-us.apache.org/repos/asf?p=camel.git%3Ba=commitdiff%3Bh=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36 https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E https://li • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2015-0264 – Camel: XXE via XPath expression evaluation
https://notcve.org/view.php?id=CVE-2015-0264
Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query. Múltiples vulnerabilidades de entidad externa XML (XXE) en builder/xml/XPathBuilder.java en Apache Camel anterior a 2.13.4 y 2.14.x anterior a 2.14.2 permiten a atacantes remotos leer ficheros arbitrarios a través de una entidad externa en un objeto XML (1) String o (2) GenericFile inválido en una consulta XPath. It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. • http://rhn.redhat.com/errata/RHSA-2015-1041.html http://rhn.redhat.com/errata/RHSA-2015-1538.html http://rhn.redhat.com/errata/RHSA-2015-1539.html http://securitytracker.com/id/1032442 https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc https://git-wip-us.apache.org/repos/asf?p=camel.git%3Ba=commitdiff%3Bh=1df559649a96a1ca0368373387e542f46e4820da https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E https://lists. • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 47%CPEs: 31EXPL: 1CVE-2014-0003 – Camel: remote code execution via XSL
https://notcve.org/view.php?id=CVE-2014-0003
The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java methods via a crafted message. El componente XSLT en Apache Camel 2.11.x anterior a 2.11.4, 2.12.x anterior a 2.12.3 y posiblemente versiones anteriores permite a atacantes remotos ejecutar métodos Java arbitrarios a través de un mensaje manipulado. • http://camel.apache.org/security-advisories.data/CVE-2014-0003.txt.asc http://rhn.redhat.com/errata/RHSA-2014-0245.html http://rhn.redhat.com/errata/RHSA-2014-0254.html http://rhn.redhat.com/errata/RHSA-2014-0371.html http://rhn.redhat.com/errata/RHSA-2014-0372.html http://secunia.com/advisories/57125 http://secunia.com/advisories/57716 http://secunia.com/advisories/57719 http://www.securityfocus.com/bid/65902 https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b3 • CWE-264: Permissions, Privileges, and Access Controls •