This is an automated email from the ASF dual-hosted git repository. acosentino pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/camel.git
commit a530bf117653574b9a1c9a5e373b37a0684f853b Author: Andrea Cosentino <[email protected]> AuthorDate: Wed Sep 12 13:38:57 2018 +0200 Security Advisories: Porting to docs --- .../en/security-advisories/CVE-2014-0002.txt.asc | 46 ++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/docs/user-manual/en/security-advisories/CVE-2014-0002.txt.asc b/docs/user-manual/en/security-advisories/CVE-2014-0002.txt.asc new file mode 100644 index 0000000..252af8d --- /dev/null +++ b/docs/user-manual/en/security-advisories/CVE-2014-0002.txt.asc @@ -0,0 +1,46 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +CVE-2014-0002: Apache Camel critical disclosure vulnerability + +Severity: Critical + +Vendor: The Apache Software Foundation + +Versions Affected: Camel 2.11.0 to 2.11.3, Camel 2.12.0 to 2.12.2 +The unsupported Camel 2.3.x, 2.4.x, 2.5.x, 2.6.x, 2.7.x, 2.8.x, 2.9.x and 2.10.x versions may be also affected. + +Description: The Apache Camel XSLT component will resolve entities in XML messages when transforming them using an xslt route. A remote attacker able to submit messages to an xslt route could use this flaw to read files accessible to the running application server and potentially perform other more advanced XXE attacks. + +Mitigation: 2.11.x users should upgrade to 2.11.4, 2.12.x users should upgrade to 2.12.3. This patch will be included from Camel 2.13.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=341d4e6cca71c53c90962d1c3d45fc9e05cc50c6 + +Example: Create a simple route which receives an HTTP request, apply a (safe) stylesheet and store the result in a file: +<route> + <from uri="servlet:///hello"/> + <to uri="xslt:file:/tmp/transform.xsl" /> + <to uri="file:/tmp/output" /> +</route> + +If an attacker is able to submit a message to this route, they can provide a message that is an XML document containing external entities. These entities will be resolved, and their contents included in the output of the transformation performed by the xslt route. + +Credit: This issue was discovered by David Jorm. + +References: http://camel.apache.org/security-advisories.html +-----BEGIN PGP SIGNATURE----- +Version: GnuPG/MacGPG2 v2.0.22 (Darwin) +Comment: GPGTools - http://gpgtools.org + +iQIcBAEBAgAGBQJTENZhAAoJEImh9lEqI5wsukkP/2q4Tr9N2NMWYu9+5YYrpSST +TWnhcE7QGVOu3ITRp0WslzzJoa6Dl1q1XB7NRiV9CrHrUAk/GMaMo0M51ezaYUOq ++8HfiHpVbU+frk67bbTCceSug1xLsCb1upD0LUvM28siimMme2lmZtZuzKwYws2o +dG3gqIIgBYxl6Z6tKb7BIqQobsiK/50q5iZ1Z7PLT1hNrJvnBh0N6wgqfSPM0CLj +1NBN1xLJufcooT5pMYSXq8UAKvp9x7CymUTk/b/xbTGE5e8T/XNKAuXoe1/XRfMO +mETrN11hQdrEtflK9uOwHhDOu2SvsBBjBmDGY90K/Da1d1Hjued2Uaz3qGf4nQ9F +SVVLKfB4Z6VZkNqyjZ8JZjdJGWtrLMeixUxoGLKp8S2SXHG9HTfxh0a9GD7g3vfj +hO10B3qJKeWcVnBru4tRy/lmPfmCw28gizR4KEej4YFiPDFp60Z2Rxxsz5dHyOq6 +fUkOcCsMmLUoj1i3YoIcFDos8ZPl6Zuu1xkmOxq+hslixaT9ROUwfuIkV8lRofgT +c1A2Ao5FZu0UK7uR81TNflbTCy+4q7Wojfs6LMydU9VjcGkCl+ES2q9mtv3BE6rN +r69g5lba6ooyZEqPNvDGwTznQVUiHM5roaEooDYnTSU4FhT56isTANqaGncIXCnZ +t3sXFGy7PXvfxxpeKHTb +=VJ0D +-----END PGP SIGNATURE-----
