Apache Camel security advisory: CVE-2014-0002
SummaryThe Apache Camel XSLT component will resolve entities in XML messages when transforming them using an xslt route.
Versions affected2.11.0 up to 2.11.3, 2.12.0 up to 2.12.2
Versions fixed2.11.4, 2.12.3, 2.13.0 and newer
DescriptionThe Apache Camel XSLT component will resolve entities in XML messages when transforming them using an xslt route. A remote attacker able to submit messages to an xslt route could use this flaw to read files accessible to the running application server and potentially perform other more advanced XXE attacks.
Example: Create a simple route which receives an HTTP request, apply a (safe) stylesheet and store the result in a file:
<route> <from uri="servlet:///hello"/> <to uri="xslt:file:/tmp/transform.xsl" /> <to uri="file:/tmp/output" /> </route>
If an attacker is able to submit a message to this route, they can provide a message that is an XML document containing external entities. These entities will be resolved, and their contents included in the output of the transformation performed by the xslt route.
Mitigation2.11.x users should upgrade to 2.11.4, 2.12.x users should upgrade to 2.12.3. This patch will be included from Camel 2.13.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=341d4e6cca71c53c90962d1c3d45fc9e05cc50c6
CreditThis issue was discovered by David Jorm.
- PGP signed advisory data: CVE-2014-0002.txt.asc
- Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0002