Apache Camel security information

Reporting new security problems with Apache Camel

The Apache Software Foundation takes a very active stance in eliminating security problems.

We strongly encourage folks to report such problems to the private security mailing list of the ASF Security Team, before disclosing them in a public forum.

Please see the page of the ASF Security Team for further information and contact information.

Security advisories

Security advisories by year
Reference Affected Fixed CVSS score Description
2020
CVE-2020-11994 2.22.x, 2.23.x, 2.24.x, 2.25.0 and 2.25.1, 3.0.0 up to 3.3.0 2.25.2, 3.4.0 MEDIUM Server-Side Template Injection and arbitrary file disclosure on Camel templating components
CVE-2020-11973 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 2.25.1, 3.2.0 MEDIUM Apache Camel Netty enables Java deserialization by default
CVE-2020-11972 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 2.25.1, 3.2.0 MEDIUM Apache Camel RabbitMQ enables Java deserialization by default
CVE-2020-11971 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 3.2.0 MEDIUM Apache Camel JMX Rebind Flaw Vulnerability
2019
CVE-2019-0188 Apache Camel versions prior to 2.24.0 2.24.0 MEDIUM Apache Camel-XMLJson vulnerable to XML external entity injection (XXE)
CVE-2019-0194 2.21.0 up to 2.21.3, 2.22.0 up to 2.22.2, 2.23.0 2.21.5, 2.22.3, 2.23.1 MEDIUM Apache Camel's File is vulnerable to directory traversal
2018
CVE-2018-8041 2.20.0 up to 2.20.3, 2.21.0 up to 2.21.1, 2.22.0 2.20.4, 2.21.1, 2.22.1 and newer MEDIUM Apache Camel's Mail is vulnerable to path traversal
CVE-2018-8027 2.20.0 up to 2.20.3, 2.21.0 2.20.4, 2.21.1 and newer MEDIUM Apache Camel's Core is vulnerable to XXE in XSD validation processor
2017
CVE-2017-12634 2.19.0 up to 2.19.3, 2.20.0 2.19.4, 2.20.1 and newer MEDIUM Apache Camel's Castor unmarshalling operation is vulnerable to Remote Code Execution attacks
CVE-2017-12633 2.19.0 up to 2.19.3, 2.20.0 2.19.4, 2.20.1 and newer MEDIUM Apache Camel's Hessian unmarshalling operation is vulnerable to Remote Code Execution attacks
CVE-2016-8749 2.16.0 up to 2.16.4, 2.17.0 up to 2.17.4, 2.18.0 up to 2.18.1 2.16.5, 2.17.5, 2.18.2 MEDIUM Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks
CVE-2017-5643 2.17.0 up to 2.17.5, 2.18.0 up to 2.18.2 2.17.6, 2.18.3 and newer MEDIUM Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE
CVE-2017-3159 2.17.0 up to 2.17.4, 2.18.0 up to 2.18.1 2.17.5, 2.18.2 and newer MEDIUM Apache Camel's Snakeyaml unmarshalling operation is vulnerable to Remote Code Execution attacks
2016
CVE-2015-5348 2.15.0 up to 2.15.4, 2.16.0 2.15.5, 2.16.1 and newer MEDIUM Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability.
CVE-2015-5344 2.15.0 up to 2.15.4, 2.16.0 2.15.5, 2.16.1 and newer MEDIUM Apache Camel's XStream usage is vulnerable to Remote Code Execution attacks.
2015
CVE-2015-0264 2.13.0 up to 2.13.3, 2.14.0 up to 2.14.1 2.13.4, 2.14.2, 2.15.0 and newer MEDIUM The XPath handling in Apache Camel for invalid XML Strings or invalid XML GenericFile objects allows remote attackers to read arbitrary files via an XML External Entity (XXE) declaration. The XML External Entity (XXE) will be resolved before the Exception is thrown.
CVE-2015-0263 2.13.0 up to 2.13.3, 2.14.0 up to 2.14.1 2.13.4, 2.14.2, 2.15.0 and newer MEDIUM The XML converter setup in Apache Camel allows remote attackers to read arbitrary files via an SAXSource containing an XML External Entity (XXE) declaration.
2014
CVE-2014-0003 2.11.0 up to 2.11.3, 2.12.0 up to 2.12.2 2.11.4, 2.12.3, 2.13.0 and newer CRITICAL The Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods.
CVE-2014-0002 2.11.0 up to 2.11.3, 2.12.0 up to 2.12.2 2.11.4, 2.12.3, 2.13.0 and newer CRITICAL The Apache Camel XSLT component will resolve entities in XML messages when transforming them using an xslt route.
2013
CVE-2013-4330 2.9.0 up to 2.9.7, 2.10.0 up to 2.10.6, 2.11.0 up to 2.11.1, 2.12.0 2.9.8, 2.10.7, 2.11.2, 2.12.1 and newer CRITICAL Writing files using FILE or FTP components, can potentially be exploited by a malicious user.