CVE-2014-0002 — Apache Camel's XSLT component allows remote attackers to read arbitrary files

Description

The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

How to fix CVE-2014-0002

To remediate CVE-2014-0002, upgrade the affected package to a fixed version below.

Maven/org.apache.camel:camel-core—upgrade to 2.11.4 or later

Is CVE-2014-0002 being exploited?

Moderate — EPSS is 28.7%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 2.11.4

References (14)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-0002
PATCHgithub.com/apache/camel
WEBcamel.apache.org/security-advisories.data/CVE-2014-0002.txt.asc
WEBrhn.redhat.com/errata/RHSA-2014-0371.html
WEB