CVE-2019-0188 — XML External Entity injection in Apache Camel

Description

Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed.

How to fix CVE-2019-0188

To remediate CVE-2019-0188, upgrade the affected package to a fixed version below.

Maven/org.apache.camel:camel-core—upgrade to 2.24.0 or later
—no fix listed

Is CVE-2019-0188 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.24.0
from 0, <= 2.23.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (18)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-0188
WEBjvn.jp/en/jp/JVN71498764/index.html
WEBgithub.com/apache/camel/blob/master/docs/user-manual/en/security-advisories/CVE-2019-0188.txt.asc
WEBissues.apache.org/jira/browse/TAMAYA-410