camel-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From acosent...@apache.org
Subject [camel] 01/14: Security Advisories: Porting to docs
Date Wed, 12 Sep 2018 11:47:33 GMT
This is an automated email from the ASF dual-hosted git repository.

acosentino pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel.git

commit 6ececac1f8398c5dca410a33655609568d174f0f
Author: Andrea Cosentino <ancosen@gmail.com>
AuthorDate: Wed Sep 12 13:36:36 2018 +0200

    Security Advisories: Porting to docs
---
 .../en/security-advisories/CVE-2013-4330.txt.asc   | 46 ++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/docs/user-manual/en/security-advisories/CVE-2013-4330.txt.asc b/docs/user-manual/en/security-advisories/CVE-2013-4330.txt.asc
new file mode 100644
index 0000000..1f2e8a3
--- /dev/null
+++ b/docs/user-manual/en/security-advisories/CVE-2013-4330.txt.asc
@@ -0,0 +1,46 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+CVE-2013-4330: Apache Camel critical disclosure vulnerability
+
+Severity: Critical
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: Camel 2.9.0 to 2.9.7, Camel 2.10.0 to 2.10.6, Camel 2.11.0 to 2.11.1,
Camel 2.12.0
+The unsupported Camel 2.3.x, 2.4.x, 2.5.x, 2.6.x, 2.7.x and 2.8.x versions may be also affected.
+
+Description: When sending an Exchange with the in Message Header 'CamelFileName' with a value
of '$simple{...}' to a FILE or FTP producer, it will interpret the value as simple language
expression which can be exploited by a malicious user.
+
+Mitigation: 2.9.x users should upgrade to 2.9.8, 2.10.x users should upgrade to 2.10.7, 2.11.x
users should upgrade to 2.11.2 and 2.12.0 users should upgrade to 2.12.1. This patch will
be included from Camel 2.13.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=27a9752a565fbef436bac4fcf22d339e3295b2a0
+
+Example: Create a simple route which moves files from one directory to another, e.g.:
+from("file:c:/tmp/in")
+  .to("file:/c:/tmp/out");
+
+If you are using Windows, create an file with a name like
+"$simple{<some malicious code>}" (without the quotes)
+and drop it into the "c:/tmp/in" directory. The file consumer will read and process this
file. It will also set the Exchange in Message Header 'CamelFileName' with the value "$simple{<some
malicious code>}". In the next step, the file producer will interpreted the value of this
header as simple language expression and execute the malicious code.
+
+Credit: This issue was discovered by Grégory Draperi.
+
+References: http://camel.apache.org/security-advisories.html
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
+Comment: GPGTools - http://gpgtools.org
+
+iQIcBAEBAgAGBQJSSszOAAoJEImh9lEqI5wsaNEQAIoITjC6AWQru4H3Eqm7XmGJ
+X2PGYY08XhwDGR7qqnIsYFHIqsSMoW+1YhQqZNV66zrU1hDgpFDz3dj3IaQUXpaE
+9dI6B1eGvayF2GxoBnsc0Dua/43WdhWm9KBHrcGL3TQVEi3D7QmTv4Udsx3+5ita
+xQcYrmrltdKDp8r08GHwFV1jZnafPEbJ5Vw/ATqHAb0hZ7ozv3c3iAqTkER++dzL
+DL+gNKbN1eD8ZeixitQO4eirEkkiRlU8fC6dy+6e6Hra/0L16nyEmpsYWvx+mWnt
+C+1fQQjmwZW/zV2tVqznc8mlVUYuttp3F4GDybYqPgMXlWC9Ri0JZWlNoXTZ0zak
+f6KxcWqHvKs+LhCENFV2cnCtq2uHvGX0HMT4h/eVvGa/t/8gI2tgvaUtt0ylUNWn
+a1znMCjDRwISlqu+jfSja7g1IydtvN1/tssfTMJjRDmng4mpGEa03iunVuwHFJv2
+Y6khePzKKP4wXS5oQ9aMev039IKB2725R28iZ2YH2TolgjicAay8ulBGHq0jx0rm
+QI5zVrAAdWdX3kYjDGED/70gVfhF6N0cG4wpZzT9RW0oYU0kFeTEPJN/1jg3u9Mc
+Fm0FEDCOSRkX4OKKa5nQX8EL92Jz0g6YukPAaQyvegvbjvvMCSxgQbIwFyBh0Yt/
+9JRZ0jp01139FFdpa+QM
+=UpK9
+-----END PGP SIGNATURE-----


Mime
View raw message