CVE-2015-0264 — Apache Camel allows remote actor to read arbitrary files via external entity in

Description

Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query.

How to fix CVE-2015-0264

To remediate CVE-2015-0264, upgrade the affected package to a fixed version below.

Maven/org.apache.camel:camel-core—upgrade to 2.13.4 or later

Is CVE-2015-0264 being exploited?

Low — EPSS is 2.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.13.4

References (14)

ADVISORYgithub.com/advisories/GHSA-mhx2-r3jx-g94c
ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-0264
PATCHgithub.com/apache/camel
WEBrhn.redhat.com/errata/RHSA-2015-1041.html
WEBrhn.redhat.com