Bug 1203341 (CVE-2015-0264)
Summary: | CVE-2015-0264 Camel: XXE via XPath expression evaluation | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Martin Prpič <mprpic> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | acai, aileenc, alazarot, bleanhar, ccoleman, chazlett, dmcphers, etirelli, gvarsami, jcoleman, jialiu, jkeck, jokerman, kconner, ldimaggi, lmeyer, lpetrovi, mbaluch, mmccomas, mwinkler, nwallace, rrajasek, rwagner, rzhang, soa-p-jira, tcunning, tkirby, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Camel 2.13.4, Camel 2.14.2 | Doc Type: | Bug Fix |
Doc Text: |
It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 02:40:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1217647, 1217645, 1217646, 1217648, 1217649, 1217650, 1217651, 1217652, 1217653, 1217654 | ||
Bug Blocks: | 1203345, 1222987, 1244364, 1288332, 1385169 |
Description
Martin Prpič
2015-03-18 15:44:52 UTC
This issue has been addressed in the following products: JBoss Fuse/A-MQ 6.1.0 Via RHSA-2015:1041 https://rhn.redhat.com/errata/RHSA-2015-1041.html This issue has been addressed in the following products: JBoss BPM Suite 6.1.2 Via RHSA-2015:1539 https://rhn.redhat.com/errata/RHSA-2015-1539.html This issue has been addressed in the following products: JBoss BRMS 6.1.2 Via RHSA-2015:1538 https://rhn.redhat.com/errata/RHSA-2015-1538.html This issue has been addressed in the following products: JBoss Fuse Service Works 6.2.1 Via RHSA-2015:2558 https://rhn.redhat.com/errata/RHSA-2015-2558.html |