CVE-2017-5643
camel-core: Validation component vulnerable to SSRF via remote DTDs and XXE
Severity Score
7.4
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.
Apache Camel's Validation Component es vulnerable contra ataques de SSRF a través de DTDs y XXE remotos.
It was found that Apache Camel's validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). The vulnerability is not given for SAX or StAX sources.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2017-01-29 CVE Reserved
- 2017-03-16 CVE Published
- 2023-11-08 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (7)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Camel Search vendor "Apache" for product "Camel" | <= 2.16.0 Search vendor "Apache" for product "Camel" and version " <= 2.16.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Camel Search vendor "Apache" for product "Camel" | 2.17.0 Search vendor "Apache" for product "Camel" and version "2.17.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Camel Search vendor "Apache" for product "Camel" | 2.17.1 Search vendor "Apache" for product "Camel" and version "2.17.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Camel Search vendor "Apache" for product "Camel" | 2.17.2 Search vendor "Apache" for product "Camel" and version "2.17.2" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Camel Search vendor "Apache" for product "Camel" | 2.17.3 Search vendor "Apache" for product "Camel" and version "2.17.3" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Camel Search vendor "Apache" for product "Camel" | 2.17.4 Search vendor "Apache" for product "Camel" and version "2.17.4" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Camel Search vendor "Apache" for product "Camel" | 2.17.5 Search vendor "Apache" for product "Camel" and version "2.17.5" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Camel Search vendor "Apache" for product "Camel" | 2.18.0 Search vendor "Apache" for product "Camel" and version "2.18.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Camel Search vendor "Apache" for product "Camel" | 2.18.1 Search vendor "Apache" for product "Camel" and version "2.18.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Camel Search vendor "Apache" for product "Camel" | 2.18.2 Search vendor "Apache" for product "Camel" and version "2.18.2" | - |
Affected
| ||||||