CVE-2017-5643

Description

Description: The Validation Component of Apache Camel evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). The vulnerability is not given for SAX or StAX sources. Mitigation: 2.17.x users should upgrade to 2.17.6, 2.18.x users should upgrade to 2.18.3. The JIRA tickets https://issues.apache.org/jira/browse/CAMEL-10894 refers to the various commits that resolved the issue, and have more details.

How to fix CVE-2017-5643

To remediate CVE-2017-5643, upgrade the affected package to a fixed version below.

• —upgrade to 2.17.6 or later

Is CVE-2017-5643 being exploited?

Low — EPSS is 1.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2.17.6

CVSS scores

References (12)

• ADVISORYgithub.com/advisories/GHSA-vq9j-jh62-5hmp
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-5643
• WEBcamel.apache.org/security-advisories.data/CVE-2017-5643.txt.asc?version=1&modificationDate=1489652454000&api=v2
• WEBaccess.redhat.com/errata/RHSA-2017:1832