Apache Camel
By the Year
In 2023 there have been 0 vulnerabilities in Apache Camel . Last year Camel had 1 security vulnerability published. Right now, Camel is on track to have less security vulnerabilities in 2023 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2023 | 0 | 0.00 |
2022 | 1 | 9.80 |
2021 | 0 | 0.00 |
2020 | 5 | 8.54 |
2019 | 2 | 7.50 |
2018 | 2 | 7.55 |
It may take a day or so for new Camel vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Camel Security Vulnerabilities
DO NOT USE THIS CANDIDATE NUMBER
CVE-2022-45046
9.8 - Critical
- December 05, 2022
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Server-Side Template Injection and arbitrary file disclosure on Camel templating components
CVE-2020-11994
7.5 - High
- July 08, 2020
Server-Side Template Injection and arbitrary file disclosure on Camel templating components
Injection
Apache Camel's JMX is vulnerable to Rebind Flaw
CVE-2020-11971
7.5 - High
- May 14, 2020
Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 is affected. Users should upgrade to 3.2.0.
Apache Camel RabbitMQ enables Java deserialization by default
CVE-2020-11972
9.8 - Critical
- May 14, 2020
Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
Marshaling, Unmarshaling
Apache Camel Netty enables Java deserialization by default
CVE-2020-11973
9.8 - Critical
- May 14, 2020
Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
Marshaling, Unmarshaling
HtmlUnit prior to 2.37.0 contains code execution vulnerabilities
CVE-2020-5529
8.1 - High
- February 11, 2020
HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application.
Improper Initialization
Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library
CVE-2019-0188
7.5 - High
- May 28, 2019
Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed.
XXE
Apache Camel's File is vulnerable to directory traversal
CVE-2019-0194
7.5 - High
- April 30, 2019
Apache Camel's File is vulnerable to directory traversal. Camel 2.21.0 to 2.21.3, 2.22.0 to 2.22.2, 2.23.0 and the unsupported Camel 2.x (2.19 and earlier) versions may be also affected.
Directory traversal
Apache Camel's Mail 2.20.0 through 2.20.3
CVE-2018-8041
5.3 - Medium
- September 17, 2018
Apache Camel's Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path traversal.
Directory traversal
Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.
CVE-2018-8027
9.8 - Critical
- July 31, 2018
Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.
XXE
The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3
CVE-2014-0002
- March 21, 2014
The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Permissions, Privileges, and Access Controls
The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions
CVE-2014-0003
- March 21, 2014
The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java methods via a crafted message.
Permissions, Privileges, and Access Controls
Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0
CVE-2013-4330
- October 04, 2013
Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arbitrary simple language expressions by including "$simple{}" in a CamelFileName message header to a (1) FILE or (2) FTP producer.
Code Injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apache Camel or by Apache? Click the Watch button to subscribe.
