CVE-2015-0264
Camel: XXE via XPath expression evaluation
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query.
Múltiples vulnerabilidades de entidad externa XML (XXE) en builder/xml/XPathBuilder.java en Apache Camel anterior a 2.13.4 y 2.14.x anterior a 2.14.2 permiten a atacantes remotos leer ficheros arbitrarios a través de una entidad externa en un objeto XML (1) String o (2) GenericFile inválido en una consulta XPath.
It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-11-18 CVE Reserved
- 2015-06-01 CVE Published
- 2024-08-06 CVE Updated
- 2024-08-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
References (10)
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://rhn.redhat.com/errata/RHSA-2015-1041.html | 2023-11-07 | |
http://rhn.redhat.com/errata/RHSA-2015-1538.html | 2023-11-07 | |
http://rhn.redhat.com/errata/RHSA-2015-1539.html | 2023-11-07 | |
https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc | 2023-11-07 | |
https://access.redhat.com/security/cve/CVE-2015-0264 | 2015-12-07 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1203341 | 2015-12-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apache Search vendor "Apache" | Camel Search vendor "Apache" for product "Camel" | <= 2.13.3 Search vendor "Apache" for product "Camel" and version " <= 2.13.3" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Camel Search vendor "Apache" for product "Camel" | 2.14.0 Search vendor "Apache" for product "Camel" and version "2.14.0" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Camel Search vendor "Apache" for product "Camel" | 2.14.1 Search vendor "Apache" for product "Camel" and version "2.14.1" | - |
Affected
|