This is an automated email from the ASF dual-hosted git repository. acosentino pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/camel.git
commit b46412bf7abe56421d034c55ab90f7bba933d52e Author: Andrea Cosentino <[email protected]> AuthorDate: Wed Sep 12 13:44:30 2018 +0200 Security Advisories: Porting to docs --- .../en/security-advisories/CVE-2017-5643.txt.asc | 30 ++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/docs/user-manual/en/security-advisories/CVE-2017-5643.txt.asc b/docs/user-manual/en/security-advisories/CVE-2017-5643.txt.asc new file mode 100644 index 0000000..4d829fb --- /dev/null +++ b/docs/user-manual/en/security-advisories/CVE-2017-5643.txt.asc @@ -0,0 +1,30 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +CVE-2017-5643: Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE. + +Severity: MEDIUM + +Vendor: The Apache Software Foundation + +Versions Affected: Camel 2.17.0 to 2.17.5, Camel 2.18.0 to 2.18.2 +The unsupported Camel 2.x (2.16 and earlier) versions may be also affected. + +Description: The Validation Component of Apache Camel evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). The vulnerability is not given for SAX or StAX sources. + +Mitigation: 2.17.x users should upgrade to 2.17.6, 2.18.x users should upgrade to 2.18.3. + +The JIRA tickets https://issues.apache.org/jira/browse/CAMEL-10894 refers to the various commits that resolved the issue, and have more details. + +Credit: This issue was discovered by Franz Forsthofer +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (GNU/Linux) + +iQEcBAEBAgAGBQJYykp3AAoJEONOnzgC/0EAW1IH+gK4vn5vD+Nve0BWGjMwi7ja +37HH89UdViakH44YBhUObxXrZ+zAJ53fSuXhorcH8zT8hSdgIhuSkhvMKfWfSr5t +pVAh2sNLO8Mnpv/8K2HZ8QVL5RuaYdDcI19TAYO2iSrxI+PX8P3SGqbBmNu1c6E3 +0uVJSCcBscvSporgXdNi4+Oh8YpuuQAmocHbUJf+kK8Sc/Z7rTlMzCJwORvuoekM +0HDC+bfhNgoBU/k6qclTxTEbxMByDX354go/fz8RB/VKzaLuT8UcMp5rvgIYBJTs +kT6K2NchfXIMo8Zmq2iq3QfabtuXgsJtUjYRFHasrFSvrzoqzXpoaTE1XCFgobE= +=BTx+ +-----END PGP SIGNATURE-----
