Camel Apache Camel

Do you want an email whenever new security vulnerabilities are reported in Apache Camel?

By the Year

In 2022 there have been 0 vulnerabilities in Apache Camel . Camel did not have any published security vulnerabilities last year.

Year Vulnerabilities Average Score
2022 0 0.00
2021 0 0.00
2020 5 8.54
2019 2 7.50
2018 2 7.55

It may take a day or so for new Camel vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Apache Camel Security Vulnerabilities

Server-Side Template Injection and arbitrary file disclosure on Camel templating components

CVE-2020-11994 7.5 - High - July 08, 2020

Server-Side Template Injection and arbitrary file disclosure on Camel templating components

Injection

Apache Camel's JMX is vulnerable to Rebind Flaw

CVE-2020-11971 7.5 - High - May 14, 2020

Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 is affected. Users should upgrade to 3.2.0.

Apache Camel RabbitMQ enables Java deserialization by default

CVE-2020-11972 9.8 - Critical - May 14, 2020

Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.

Marshaling, Unmarshaling

Apache Camel Netty enables Java deserialization by default

CVE-2020-11973 9.8 - Critical - May 14, 2020

Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.

Marshaling, Unmarshaling

HtmlUnit prior to 2.37.0 contains code execution vulnerabilities

CVE-2020-5529 8.1 - High - February 11, 2020

HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application.

Improper Initialization

Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library

CVE-2019-0188 7.5 - High - May 28, 2019

Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed.

XXE

Apache Camel's File is vulnerable to directory traversal

CVE-2019-0194 7.5 - High - April 30, 2019

Apache Camel's File is vulnerable to directory traversal. Camel 2.21.0 to 2.21.3, 2.22.0 to 2.22.2, 2.23.0 and the unsupported Camel 2.x (2.19 and earlier) versions may be also affected.

Directory traversal

Apache Camel's Mail 2.20.0 through 2.20.3

CVE-2018-8041 5.3 - Medium - September 17, 2018

Apache Camel's Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path traversal.

Directory traversal

Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.

CVE-2018-8027 9.8 - Critical - July 31, 2018

Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.

XXE

The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3

CVE-2014-0002 - March 21, 2014

The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Permissions, Privileges, and Access Controls

The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions

CVE-2014-0003 - March 21, 2014

The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java methods via a crafted message.

Permissions, Privileges, and Access Controls

Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0

CVE-2013-4330 - October 04, 2013

Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arbitrary simple language expressions by including "$simple{}" in a CamelFileName message header to a (1) FILE or (2) FTP producer.

Code Injection

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Apache Camel or by Apache? Click the Watch button to subscribe.

Apache
Vendor

Apache Camel
Product

subscribe