camel-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [camel] 03/14: Security Advisories: Porting to docs
Date Wed, 12 Sep 2018 11:47:35 GMT
This is an automated email from the ASF dual-hosted git repository.

acosentino pushed a commit to branch master
in repository

commit 403af26946165eec31d348fe9ce1a8f4680698e4
Author: Andrea Cosentino <>
AuthorDate: Wed Sep 12 13:39:30 2018 +0200

    Security Advisories: Porting to docs
 .../en/security-advisories/CVE-2014-0003.txt.asc   | 46 ++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/docs/user-manual/en/security-advisories/CVE-2014-0003.txt.asc b/docs/user-manual/en/security-advisories/CVE-2014-0003.txt.asc
new file mode 100644
index 0000000..7d64855
--- /dev/null
+++ b/docs/user-manual/en/security-advisories/CVE-2014-0003.txt.asc
@@ -0,0 +1,46 @@
+Hash: SHA1
+CVE-2014-0003: Apache Camel critical disclosure vulnerability
+Severity: Critical
+Vendor: The Apache Software Foundation
+Versions Affected: Camel 2.11.0 to 2.11.3, Camel 2.12.0 to 2.12.2
+The unsupported Camel 2.3.x, 2.4.x, 2.5.x, 2.6.x, 2.7.x, 2.8.x, 2.9.x and 2.10.x versions
may be also affected.
+Description: The Apache Camel XSLT component allows XSL stylesheets to perform calls to external
Java methods. A remote attacker able to submit messages to an xslt Camel route could use this
flaw to perform arbitrary remote code execution in the context of the Camel server process.
+Mitigation: 2.11.x users should upgrade to 2.11.4, 2.12.x users should upgrade to 2.12.3.
This patch will be included from Camel 2.13.0:;a=commitdiff;h=e922f89290f236f3107039de61af0375826bd96d
+Example: Create a simple route which receives an HTTP request, apply a (safe) stylesheet
and store the result in a file:
+  <from uri="servlet:///hello"/>
+  <to uri="xslt:file:/tmp/transform.xsl" />
+  <to uri="file:/tmp/output" />
+If an attacker is able to submit a message to this route, they can change the XSLT stylesheet
to use for this transfiormation. This stylesheet could be provided by a valid URL and could
perform arbitrary remote code execution.
+Credit: This issue was discovered by David Jorm.
+Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
+Comment: GPGTools -

View raw message