Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed.
CVSS Score
7.5
EPSS Score
0.02
Published
2019-05-28
Apache Camel's File is vulnerable to directory traversal. Camel 2.21.0 to 2.21.3, 2.22.0 to 2.22.2, 2.23.0 and the unsupported Camel 2.x (2.19 and earlier) versions may be also affected.
CVSS Score
7.5
EPSS Score
0.024
Published
2019-04-30
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.
CVSS Score
9.8
EPSS Score
0.036
Published
2017-11-15
The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.
CVSS Score
9.8
EPSS Score
0.048
Published
2017-11-15
Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.
CVSS Score
7.4
EPSS Score
0.008
Published
2017-03-16
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws.
CVSS Score
9.8
EPSS Score
0.028
Published
2017-03-07
The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.
CVSS Score
9.8
EPSS Score
0.031
Published
2016-02-03
Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query.
CVSS Score
5.0
EPSS Score
0.015
Published
2015-06-03
XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.
CVSS Score
5.0
EPSS Score
0.027
Published
2015-06-03
The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
CVSS Score
7.5
EPSS Score
0.348
Published
2014-03-21
Page 1