CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2019-0188
https://notcve.org/view.php?id=CVE-2019-0188
28 May 2019 — Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed. Apache Camel en versiones anteriores a la 2.24.0 contiene una vulnerabilidad de XML external entity injection (XXE) (CWE-611) debido al uso de una biblioteca JSON-lib obsoleta y vulnerable. Esto afecta solo al componente Camel-xmljson, que se eliminó. • http://jvn.jp/en/jp/JVN71498764/index.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 9%CPEs: 4EXPL: 1CVE-2019-0194 – camel: Directory traversal in file producer
https://notcve.org/view.php?id=CVE-2019-0194
30 Apr 2019 — Apache Camel's File is vulnerable to directory traversal. Camel 2.21.0 to 2.21.3, 2.22.0 to 2.22.2, 2.23.0 and the unsupported Camel 2.x (2.19 and earlier) versions may be also affected. El archivo de Apache Camel es vulnerable a un salto de directorio. Camel versiones desde 2.21.0 hasta 2.21.3, desde 2.22.0 hasta 2.22.2, 2.23.0 y las versiones 2.x (2.19 y anteriores) sin soporte también pueden verse afectadas. • http://www.openwall.com/lists/oss-security/2019/04/30/2 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2017-12633 – camel-hessian: Apache Camel's Hessian unmarshalling operation is vulnerable to Remote Code Execution attacks
https://notcve.org/view.php?id=CVE-2017-12633
15 Nov 2017 — The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws. El componente camel-hessian en Apache Camel en versiones 2.x anteriores a la 2.19.4 y las versiones 2.20.x anteriores a la 2.20.1 es vulnerable a una deserialización de objetos Java. La deserialización de datos no fiables puede conducir a fallos de seguridad. It was found that Apache Camel contains a secu... • http://camel.apache.org/security-advisories.data/CVE-2017-12633.txt.asc • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2017-12634 – camel-castor: Apache Camel's Castor unmarshalling operation is vulnerable to Remote Code Execution attacks
https://notcve.org/view.php?id=CVE-2017-12634
15 Nov 2017 — The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws. El componente camel-castor en Apache Camel en versiones 2.x anteriores a la 2.19.4 y las versiones 2.20.x anteriores a la 2.20.1 es vulnerable a una deserialización de objetos Java. La deserialización de datos no fiables puede conducir a fallos de seguridad. It was found that Apache Camel contains a securi... • http://camel.apache.org/security-advisories.data/CVE-2017-12634.txt.asc • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 4%CPEs: 12EXPL: 1CVE-2016-8749 – camel-jacksonxml: Unmarshalling operation are vulnerable to RCE
https://notcve.org/view.php?id=CVE-2016-8749
28 Mar 2017 — Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. Apache Camel's Jackson y JacksonXML operación unmarshalling son vulnerables a ataques de ejecución remota de código. It was found that Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. Camel allows such a type through the 'CamelJacksonUnmarshalType' property. De-serializing untrusted data can lead to security flaws as demonstr... • http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc?version=2&modificationDate=1486565034000&api=v2 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.4EPSS: 0%CPEs: 10EXPL: 0CVE-2017-5643 – camel-core: Validation component vulnerable to SSRF via remote DTDs and XXE
https://notcve.org/view.php?id=CVE-2017-5643
16 Mar 2017 — Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE. Apache Camel's Validation Component es vulnerable contra ataques de SSRF a través de DTDs y XXE remotos. It was found that Apache Camel's validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entitie... • http://camel.apache.org/security-advisories.data/CVE-2017-5643.txt.asc?version=1&modificationDate=1489652454000&api=v2 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 1%CPEs: 3EXPL: 0CVE-2017-3159 – camel-snakeyaml: Unmarshalling operation is vulnerable to RCE
https://notcve.org/view.php?id=CVE-2017-3159
07 Mar 2017 — Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws. El componente camel-snakeyaml de Apache Camel es vulnerable a la vulnerabilidad de la deserialización de objetos Java. La deserialización de datos no confiables puede conducir a a fallos de seguridad. It was found that the camel-snakeyaml component is exploitable for code execution. • http://camel.apache.org/security-advisories.data/CVE-2017-3159.txt.asc?version=1&modificationDate=1486565167000&api=v2 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 0CVE-2015-5344 – camel-xstream: Java object de-serialization vulnerability leads to RCE
https://notcve.org/view.php?id=CVE-2015-5344
01 Feb 2016 — The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request. El componente camel-xstream en Apache Camel en versiones anteriores a 2.15.5 y 2.16.x en versiones anteriores a 2.16.1 permite a atacantes remotos ejecutar comandos arbitrarios a través de un objeto Java serializado manipulado en una petición HTTP. It was found that Apache Camel's camel-xstream component was vulnerabl... • http://camel.apache.org/security-advisories.data/CVE-2015-5344.txt.asc • CWE-19: Data Processing Errors CWE-502: Deserialization of Untrusted Data •
CVSS: 8.1EPSS: 1%CPEs: 58EXPL: 0CVE-2015-5348 – Camel: Java object deserialisation in Jetty/Servlet
https://notcve.org/view.php?id=CVE-2015-5348
17 Dec 2015 — Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel routes, allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request. Apache Camel 2.6.x hasta la versión 2.14.x, 2.15.x en versiones anteriores a 2.15.5 y 2.16.x en versiones anteriores a 2.16.1, cuando se utiliza(1) camel-jetty o (2) camel-servlet como un consumidor en rutas Camel, permite a atacantes remot... • http://camel.apache.org/security-advisories.data/CVE-2015-5348.txt.asc • CWE-19: Data Processing Errors •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2015-0264 – Camel: XXE via XPath expression evaluation
https://notcve.org/view.php?id=CVE-2015-0264
01 Jun 2015 — Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query. Múltiples vulnerabilidades de entidad externa XML (XXE) en builder/xml/XPathBuilder.java en Apache Camel anterior a 2.13.4 y 2.14.x anterior a 2.14.2 permiten a atacantes remotos leer ficheros arbitrarios a través de una entidad ... • http://rhn.redhat.com/errata/RHSA-2015-1041.html • CWE-611: Improper Restriction of XML External Entity Reference •