// For flags

CVE-2017-5643

camel-core: Validation component vulnerable to SSRF via remote DTDs and XXE

Severity Score

7.4
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.

Apache Camel's Validation Component es vulnerable contra ataques de SSRF a través de DTDs y XXE remotos.

It was found that Apache Camel's validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). The vulnerability is not given for SAX or StAX sources.

Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications. This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files. Multiple security issues have been addressed.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-01-29 CVE Reserved
  • 2017-03-16 CVE Published
  • 2024-08-05 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
 Camel
Search vendor "Apache" for product "Camel"
 <= 2.16.0
Search vendor "Apache" for product "Camel" and version " <= 2.16.0"
-
Affected
Apache
Search vendor "Apache"
 Camel
Search vendor "Apache" for product "Camel"
 2.17.0
Search vendor "Apache" for product "Camel" and version "2.17.0"
-
Affected
Apache
Search vendor "Apache"
 Camel
Search vendor "Apache" for product "Camel"
 2.17.1
Search vendor "Apache" for product "Camel" and version "2.17.1"
-
Affected
Apache
Search vendor "Apache"
 Camel
Search vendor "Apache" for product "Camel"
 2.17.2
Search vendor "Apache" for product "Camel" and version "2.17.2"
-
Affected
Apache
Search vendor "Apache"
 Camel
Search vendor "Apache" for product "Camel"
 2.17.3
Search vendor "Apache" for product "Camel" and version "2.17.3"
-
Affected
Apache
Search vendor "Apache"
 Camel
Search vendor "Apache" for product "Camel"
 2.17.4
Search vendor "Apache" for product "Camel" and version "2.17.4"
-
Affected
Apache
Search vendor "Apache"
 Camel
Search vendor "Apache" for product "Camel"
 2.17.5
Search vendor "Apache" for product "Camel" and version "2.17.5"
-
Affected
Apache
Search vendor "Apache"
 Camel
Search vendor "Apache" for product "Camel"
 2.18.0
Search vendor "Apache" for product "Camel" and version "2.18.0"
-
Affected
Apache
Search vendor "Apache"
 Camel
Search vendor "Apache" for product "Camel"
 2.18.1
Search vendor "Apache" for product "Camel" and version "2.18.1"
-
Affected
Apache
Search vendor "Apache"
 Camel
Search vendor "Apache" for product "Camel"
 2.18.2
Search vendor "Apache" for product "Camel" and version "2.18.2"
-
Affected