Apache Camel security information
Security model and report scope
Before reporting, please read the Apache Camel Security Model.
It is the canonical reference the Apache Camel PMC uses when triaging security reports. It documents who is trusted, where the trust boundaries sit, which vulnerability classes are accepted as framework vulnerabilities, and which categories are out of scope — route-author or operator responsibility, explicit opt-ins, denial of service through unthrottled routes, third-party transitive CVEs not reachable through Camel code, management surfaces placed on an untrusted network, and automated-scanner output with no proof of concept. Reports that fall outside the documented scope are closed with a reference to that page.
The Camel subprojects — Camel Quarkus, Camel Spring Boot, Camel Karaf, Camel Kamelets, Camel Kafka Connector and Camel K — inherit the same trust model; report scope for them is governed by the same document unless a subproject publishes its own security model.
Software Bill of Materials (SBOM)
Every Camel release since 4.0.3 ships with PGP-signed CycloneDX SBOMs that list all dependencies, enabling supply chain risk analysis alongside the CVE advisories below. See Generating SBOMs for details.
Reporting new security problems with Apache Camel
The Apache Software Foundation takes a very active stance in eliminating security problems.
We strongly encourage folks to report such problems to the private security mailing list of the ASF Security Team, before disclosing them in a public forum.
Please see the page of the ASF Security Team for further information and contact information.
Security advisories
| Reference | Affected | Fixed | CVSS score | Description |
| 2026 | ||||
|---|---|---|---|---|
| CVE-2026-43866 | From 3.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | HIGH | Camel JMS deserialization filter bypass: a forged DefaultExchangeHolder carried in a JMS ObjectMessage passes the CVE-2026-40860 class check and is unmarshalled into the Exchange, letting an attacker who can publish an ObjectMessage inject the message body, headers, exchange properties, variables and exception |
| CVE-2026-56140 | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | LOW | Camel-AWS2-SNS: An inbound Camel-namespace filter was added to Sns2HeaderFilterStrategy to align it with sibling components; because camel-aws2-sns is producer-only (no consumer) there is no reachable inbound header-injection path, so this is a defense-in-depth hardening change related to the camel-aws2-sqs issue CVE-2026-46456 |
| CVE-2026-56139 | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | MEDIUM | Camel-Undertow: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients - and the option was not honoured at all for Rest DSL consumers |
| CVE-2026-55994 | From 4.17.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.18.3 and 4.21.0 | HIGH | Camel-Iggy: The inbound consumer maps externally-supplied Iggy message user-headers into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secrets when bridged to an HTTP producer |
| CVE-2026-55993 | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | HIGH | Camel-Atmosphere-Websocket: The inbound consumer maps externally-supplied WebSocket query parameters into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secrets when bridged to an HTTP producer |
| CVE-2026-53913 | From 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.18.3 and 4.21.0 | HIGH | Camel-Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration (no required roles or permissions) the token is never verified and any non-null bearer value is accepted - a fail-open authentication bypass |
| CVE-2026-49365 | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | MEDIUM | Camel-Netty-HTTP: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients |
| CVE-2026-49099 | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | MEDIUM | Camel-Salesforce: Non-Camel-prefixed Exchange header constants (sObjectQuery, sObjectSearch, apexUrl, ...) bypass the HTTP header filter, allowing an HTTP client to inject SOQL/SOSL queries, override the target SObject, and redirect Apex REST calls using the connected Salesforce user's permissions |
| CVE-2026-49098 | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | MEDIUM | Camel-Kafka: The kafka.OVERRIDE_TOPIC (and other kafka.*) Exchange header constants used non-Camel-prefixed names that bypass the upstream HTTP header filter, allowing an HTTP client to redirect Kafka messages to an arbitrary topic |
| CVE-2026-49097 | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | MEDIUM | Camel-IRC: The irc.sendTo (and other irc.*) Exchange header constants used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to redirect outgoing IRC messages to arbitrary channels or users |
| CVE-2026-49086 | From 4.12.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | MEDIUM | Camel-Dapr: The Dapr Pub/Sub consumer copied the inbound CloudEvent's pub/sub-name and topic into producer-direction routing headers, allowing an actor who can publish to the subscribed topic to redirect the re-published message to an arbitrary Dapr Pub/Sub component and topic |
| CVE-2026-48206 | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | MEDIUM | Camel-JIRA: A set of non-Camel-prefixed Exchange header constants (IssueKey, ProjectKey, IssueTransitionId, ...) bypass the HTTP header filter, allowing an HTTP client to drive arbitrary JIRA issue operations using the endpoint's configured credentials |
| CVE-2026-48205 | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | MEDIUM | Camel-DNS: The dns.* and term Exchange header constants used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to redirect DNS queries to an attacker-controlled server (server-side request forgery) and enumerate internal hostnames |
| CVE-2026-48204 | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | MEDIUM | Camel-MongoDB-GridFS: The gridfs.* control headers used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to switch the GridFS operation - including destructive file deletion - in the default configuration |
| CVE-2026-48203 | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | MEDIUM | Camel-Solr: The SolrParam. and SolrField. Exchange header prefixes used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to inject Solr query parameters (server-side request forgery) and document fields |
| CVE-2026-46726 | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | HIGH | Camel-Vertx-Websocket: The inbound consumer maps externally-supplied WebSocket query and path parameters into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secrets when bridged to an HTTP producer |
| CVE-2026-46592 | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | MEDIUM | Camel-CXF: The SOAP operation-selection headers used non-Camel-prefixed names (operationName, operationNamespace) that bypass the HTTP header filter, allowing an HTTP client to redirect the invoked SOAP operation |
| CVE-2026-46591 | From 4.10.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | MEDIUM | Camel-Neo4j: JSON property names from the CamelNeo4jMatchProperties header are interpolated into the Cypher WHERE clause without validation, allowing Cypher injection (incomplete remediation of CVE-2025-66169) |
| CVE-2026-46590 | From 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.18.3 and 4.21.0 | MEDIUM | Camel-PQC: The HashiCorp Vault and AWS Secrets Manager key-lifecycle managers deserialize persisted key metadata with java.io.ObjectInputStream and no ObjectInputFilter (incomplete remediation of CVE-2026-40048) |
| CVE-2026-46585 | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | MEDIUM | Camel-Lucene: The query control headers used non-Camel-prefixed names (QUERY, RETURN_LUCENE_DOCS) that bypass the HTTP header filter, allowing an HTTP client to inject the full-text search query |
| CVE-2026-46584 | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | MEDIUM | Camel-Mail: The mail producer applied attacker-supplied mail.smtp.* / mail.smtps.* message headers as JavaMail session properties, allowing an attacker to weaken the SMTP transport security and, on releases before 4.19.0, redirect the connection and steal the configured SMTP credentials |
| CVE-2026-46457 | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | MEDIUM | Camel-NATS: Inbound NATS message headers are mapped into the Exchange without a configured HeaderFilterStrategy, allowing a client that can publish to the subject to inject Camel control headers |
| CVE-2026-46456 | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | MEDIUM | Camel-AWS2-SQS: Inbound message attributes are mapped into the Exchange without an inbound HeaderFilterStrategy, allowing a message sender to inject Camel control headers |
| CVE-2026-46455 | From 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.18.3 and 4.21.0 | MEDIUM | Camel-Keycloak: The access-token validity window is not verified because the IS_ACTIVE check is missing from the TokenVerifier, allowing expired tokens to be accepted |
| CVE-2026-46454 | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | MEDIUM | Camel-Cometd: Inbound Bayeux message headers are mapped into the Exchange without a HeaderFilterStrategy, allowing unauthenticated clients to inject Camel control headers |
| CVE-2026-46453 | From 4.3.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | MEDIUM | Camel-Elasticsearch-Rest-Client: Exchange header constants without the Camel prefix bypass inbound HTTP header filtering, allowing untrusted clients to override the Elasticsearch query and operation |
| CVE-2026-43865 | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. | 4.14.8, 4.18.3 and 4.21.0 | MEDIUM | Camel-Hazelcast: Unsafe Java deserialization in default-configured managed Hazelcast instances enables remote code execution |
| CVE-2026-40859 | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.20.0. | 4.14.8, 4.18.3 and 4.20.0 | MEDIUM | Camel-Vertx-Http and Camel-Netty-Http: Unsafe Java deserialization of HTTP response bodies via a raw ObjectInputStream when transferException is enabled |
| CVE-2026-40047 | From 4.15.0 before 4.18.3. | 4.18.3 and 4.19.0 | MEDIUM | Camel-Docling: Insufficient validation of custom CLI arguments enables argument injection and path traversal in DoclingProducer |
| CVE-2026-47323 | from 3.18.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.19.0 | 4.14.6, 4.18.2 and 4.19.0 | MEDIUM | Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering |
| CVE-2026-45760 | This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1. | 2.8.1, 2.9.2 and 2.10.1 | HIGH | Camel K Cross-Namespace Build Deputy Attack |
| CVE-2026-33453 | From 4.14.0 before 4.14.6, from 4.15.0 before 4.18.1. | 4.14.6, 4.18.1 and 4.19.0 | HIGH | Apache Camel: Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Camel-Coap component. |
| CVE-2026-42527 | Apache Camel 4.14.0 through 4.14.7 (4.14.x line). Apache Camel 4.18.0 through 4.18.2 (4.18.x line). Apache Camel 4.20.0. | 4.14.8, 4.18.3, 4.21.0. | MEDIUM | Permissive default ObjectInputFilter pattern admits java.net.** and enables DNS-based information disclosure |
| CVE-2026-40860 | From 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, and from 4.19.0 before 4.20.0. | 4.14.7, 4.18.2 and 4.20.0 | HIGH | Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp |
| CVE-2026-40858 | From 4.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0 | 4.14.7, 4.18.2 and 4.20.0 | HIGH | Camel-Infinispan: Unsafe Deserialization in ProtoStream Remote Aggregation Repository |
| CVE-2026-40473 | From 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. | 4.14.6, 4.18.2 and 4.20.0 | MEDIUM | Camel-Mina: Unsafe Deserialization in MinaConverter.toObjectInput() via TCP/UDP |
| CVE-2026-40453 | From 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. | 4.14.6, 4.18.2 and 4.20.0 | MEDIUM | Incomplete fix for CVE-2025-27636 in non-HTTP HeaderFilterStrategies (camel-jms, camel-sjms, camel-coap, camel-google-pubsub) allows case-variant header injection |
| CVE-2026-40048 | From 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2. | 4.18.2 and 4.20.0 | HIGH | Camel-PQC: Unsafe Deserialization from FileBasedKeyLifecycleManager |
| CVE-2026-40022 | From 4.14.1 before 4.14.6, from 4.15.0 before 4.18.2. | 4.14.6, 4.18.2 and 4.20.0 | MEDIUM | Camel-Platform-HTTP-Main: Authentication Bypass on Non-Root Context Paths in camel main runtime |
| CVE-2026-33454 | From 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. | 4.14.6, 4.18.1 and 4.19.0 | HIGH | Camel-Mail Message Header Injection via Improper Filtering |
| CVE-2026-27172 | From 3.0.0 before 4.14.6 and from 4.15.0 before 4.18.1 | 4.14.6, 4.18.1 and 4.19.0 | HIGH | Apache Camel: Unsafe Java deserialization in camel-consul ConsulRegistry allows arbitrary code execution via malicious values read from the Consul KV store |
| CVE-2026-25747 | From 3.0.0 before 4.10.9, from 4.11.0 before 4.14.5, from 4.15.0 before 4.18.0. | 4.10.9, 4.14.5 and 4.18.0 | HIGH | Apache Camel: Camel-LevelDB: Unsafe Deserialization from LevelDBAggregationRepository |
| CVE-2026-23552 | From 4.15.0 before 4.18.0. | 4.18.0 | HIGH | Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance in KeycloakSecurityPolicy |
| CVE-2025-66169 | Apache Camel 4.10.x before 4.10.8, Apache Camel 4.14.x before 4.14.3, Apache Camel 4.15.0 and 4.16.0. | 4.10.8, 4.14.3 and 4.17.0 | MEDIUM | Cypher injection vulnerability in Camel-Neo4j component |
| 2025 | ||||
| CVE-2025-30177 | Apache Camel 4.10.0 before 4.10.3. Apache Camel 4.8.0 before 4.8.6. | 4.8.6 and 4.10.3 | MEDIUM | Camel-Undertow Message Header Injection via Improper Filtering |
| CVE-2025-29891 | Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5. Apache Camel 3.10.0 before 3.22.4. | 3.22.4, 4.8.5 and 4.10.2 | HIGH | Camel Message Header Injection through request parameters |
| CVE-2025-27636 | Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5. Apache Camel 3.10.0 before 3.22.4. | 3.22.4, 4.8.5 and 4.10.2 | MEDIUM | Camel Message Header Injection via Improper Filtering |
| 2024 | ||||
| CVE-2024-22371 | From 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0 | 3.21.4, 3.22.1, 4.0.4 and 4.4.0 | LOW | Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data |
| CVE-2024-23114 | From 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. | 3.21.4, 3.22.1, 4.0.4 and 4.4.0 | HIGH | Apache Camel: Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository |
| CVE-2024-22369 | From 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. | 3.21.4, 3.22.1, 4.0.4 and 4.4.0 | HIGH | Apache Camel: Camel-SQL: Unsafe Deserialization from JDBCAggregationRepository |
| 2023 | ||||
| CVE-2023-34442 | 3.0.0 up to 3.14.8, and 3.18.0 up to 3.18.7, 3.20.0 up to 3.20.5 and 4.0.0-M1 up to 4.0.0-M3 | 3.14.9, 3.18.8, 3.20.6, 3.21.0 and 4.0.0-RC1 | LOW | Temporary File Local Information Disclosure in camel-jira |
| 2022 | ||||
| CVE-2022-45046 | 3.0.0 up to 3.14.5, and 3.15.0 up to 3.18.3, and 3.19.0. | 3.14.6, 3.18.4 | MEDIUM | LDAP Injection in camel-ldap |
| 2021 | ||||
| No issues reported | ||||
| 2020 | ||||
| CVE-2020-11994 | 2.22.x, 2.23.x, 2.24.x, 2.25.0 and 2.25.1, 3.0.0 up to 3.3.0 | 2.25.2, 3.4.0 | MEDIUM | Server-Side Template Injection and arbitrary file disclosure on Camel templating components |
| CVE-2020-11973 | 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 | 2.25.1, 3.2.0 | MEDIUM | Apache Camel Netty enables Java deserialization by default |
| CVE-2020-11972 | 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 | 2.25.1, 3.2.0 | MEDIUM | Apache Camel RabbitMQ enables Java deserialization by default |
| CVE-2020-11971 | 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 | 3.2.0 | MEDIUM | Apache Camel JMX Rebind Flaw Vulnerability |
| 2019 | ||||
| CVE-2019-0188 | Apache Camel versions prior to 2.24.0 | 2.24.0 | MEDIUM | Apache Camel-XMLJson vulnerable to XML external entity injection (XXE) |
| CVE-2019-0194 | 2.21.0 up to 2.21.3, 2.22.0 up to 2.22.2, 2.23.0 | 2.21.5, 2.22.3, 2.23.1 | MEDIUM | Apache Camel's File is vulnerable to directory traversal |
| 2018 | ||||
| CVE-2018-8041 | 2.20.0 up to 2.20.3, 2.21.0 up to 2.21.1, 2.22.0 | 2.20.4, 2.21.1, 2.22.1 and newer | MEDIUM | Apache Camel's Mail is vulnerable to path traversal |
| CVE-2018-8027 | 2.20.0 up to 2.20.3, 2.21.0 | 2.20.4, 2.21.1 and newer | MEDIUM | Apache Camel's Core is vulnerable to XXE in XSD validation processor |
| 2017 | ||||
| CVE-2017-12634 | 2.19.0 up to 2.19.3, 2.20.0 | 2.19.4, 2.20.1 and newer | MEDIUM | Apache Camel's Castor unmarshalling operation is vulnerable to Remote Code Execution attacks |
| CVE-2017-12633 | 2.19.0 up to 2.19.3, 2.20.0 | 2.19.4, 2.20.1 and newer | MEDIUM | Apache Camel's Hessian unmarshalling operation is vulnerable to Remote Code Execution attacks |
| CVE-2016-8749 | 2.16.0 up to 2.16.4, 2.17.0 up to 2.17.4, 2.18.0 up to 2.18.1 | 2.16.5, 2.17.5, 2.18.2 | MEDIUM | Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks |
| CVE-2017-5643 | 2.17.0 up to 2.17.5, 2.18.0 up to 2.18.2 | 2.17.6, 2.18.3 and newer | MEDIUM | Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE |
| CVE-2017-3159 | 2.17.0 up to 2.17.4, 2.18.0 up to 2.18.1 | 2.17.5, 2.18.2 and newer | MEDIUM | Apache Camel's Snakeyaml unmarshalling operation is vulnerable to Remote Code Execution attacks |
| 2016 | ||||
| CVE-2015-5348 | 2.15.0 up to 2.15.4, 2.16.0 | 2.15.5, 2.16.1 and newer | MEDIUM | Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability. |
| CVE-2015-5344 | 2.15.0 up to 2.15.4, 2.16.0 | 2.15.5, 2.16.1 and newer | MEDIUM | Apache Camel's XStream usage is vulnerable to Remote Code Execution attacks. |
| 2015 | ||||
| CVE-2015-0264 | 2.13.0 up to 2.13.3, 2.14.0 up to 2.14.1 | 2.13.4, 2.14.2, 2.15.0 and newer | MEDIUM | The XPath handling in Apache Camel for invalid XML Strings or invalid XML GenericFile objects allows remote attackers to read arbitrary files via an XML External Entity (XXE) declaration. The XML External Entity (XXE) will be resolved before the Exception is thrown. |
| CVE-2015-0263 | 2.13.0 up to 2.13.3, 2.14.0 up to 2.14.1 | 2.13.4, 2.14.2, 2.15.0 and newer | MEDIUM | The XML converter setup in Apache Camel allows remote attackers to read arbitrary files via an SAXSource containing an XML External Entity (XXE) declaration. |
| 2014 | ||||
| CVE-2014-0003 | 2.11.0 up to 2.11.3, 2.12.0 up to 2.12.2 | 2.11.4, 2.12.3, 2.13.0 and newer | CRITICAL | The Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods. |
| CVE-2014-0002 | 2.11.0 up to 2.11.3, 2.12.0 up to 2.12.2 | 2.11.4, 2.12.3, 2.13.0 and newer | CRITICAL | The Apache Camel XSLT component will resolve entities in XML messages when transforming them using an xslt route. |
| 2013 | ||||
| CVE-2013-4330 | 2.9.0 up to 2.9.7, 2.10.0 up to 2.10.6, 2.11.0 up to 2.11.1, 2.12.0 | 2.9.8, 2.10.7, 2.11.2, 2.12.1 and newer | CRITICAL | Writing files using FILE or FTP components, can potentially be exploited by a malicious user. |