The Validation Component of Apache Camel evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). The vulnerability is not given for SAX or StAX sources.
Versions Affected: Camel 2.17.0 to 2.17.5, Camel 2.18.0 to 2.18.2
The unsupported Camel 2.x (2.16 and earlier) versions may be also affected.
This issue has been addressed in the following products:
Red Hat JBoss Fuse
Via RHSA-2017:1832 https://access.redhat.com/errata/RHSA-2017:1832
This vulnerability is out of security support scope for the following product:
* Red Hat JBoss Data Grid 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.