Apache Camel security advisory: CVE-2018-8027

Severity

MEDIUM

Summary

Apache Camel's Core is vulnerable to XXE in XSD validation processor

Versions affected

2.20.0 up to 2.20.3, 2.21.0

Versions fixed

2.20.4, 2.21.1 and newer

Description

Apache Camel's Core is vulnerable to XXE External Entity vulnerability XSD validation processor.

Notes

The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-12444 and https://issues.apache.org/jira/browse/CAMEL-10894 (partial fix) refer to the various commits that resovoled the issue, and have more details.

Mitigation

2.20.x users should upgrade to 2.20.4, 2.21.0 users should upgrade to 2.21.1. The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-12444 and https://issues.apache.org/jira/browse/CAMEL-10894 (partial fix) refer to the various commits that resovoled the issue, and have more details.

Credit

This issue was discovered by Karel Jelínek <karel dot jelinek at unicorn dot com> from Unicorn Systems.

References

PGP signed advisory data: CVE-2018-8027.txt.asc
Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8027