CVE-2015-0263
Camel: XXE in via SAXSource expansion
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.
Vulnerabilidad de entidad externa XML (XXE) en el montaje del convertidor XML en converter/jaxp/XmlConverter.java en Apache Camel anterior a 2.13.4 y 2.14.x anterior a 2.14.2 p3ermite a atacantes remotos leer ficheros arbitrarios a través de una entidad externa en una SAXSource.
It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications. This patch is an update to Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ 6.1.0. It includes several bug fixes, which are documented in the readme.txt file included with the patch files. The following security issues are addressed in this release: It was found that Apache Camel's XML converter performed XML External Entity expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-11-18 CVE Reserved
- 2015-06-01 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
References (10)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2015-1041.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2015-1538.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2015-1539.html | 2023-11-07 | |
| https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2015-0263 | 2015-12-07 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1203344 | 2015-12-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Camel Search vendor "Apache" for product "Camel" | <= 2.13.3 Search vendor "Apache" for product "Camel" and version " <= 2.13.3" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Camel Search vendor "Apache" for product "Camel" | 2.14.0 Search vendor "Apache" for product "Camel" and version "2.14.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Camel Search vendor "Apache" for product "Camel" | 2.14.1 Search vendor "Apache" for product "Camel" and version "2.14.1" | - |
Affected
| ||||||