org.apache.camel:camel-core 2.7.5 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.camel:camel-core package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M XML External Entity (XXE) Injection `org.apache.camel:camel-core` is a versatile open-source integration framework based on known Enterprise Integration Patterns. Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query.	[,2.13.3][2.14.0,2.14.1]
M XML External Entity (XXE) Injection `org.apache.camel:camel-core` is a versatile open-source integration framework based on known Enterprise Integration Patterns. XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.	[,2.13.3][2.14.0,2.14.1]
H Arbitrary Code Execution `org.apache.camel:camel-core` is a versatile open-source integration framework based on known Enterprise Integration Patterns. The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java methods via a crafted message.	[,2.11.3][2.12.0,2.12.2]
H Arbitrary File Reading `org.apache.camel:camel-core` is a versatile open-source integration framework based on known Enterprise Integration Patterns. The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.	[,2.11.3][2.12.0,2.12.2]
M Arbitrary Code Injection `org.apache.camel:camel-core` is a versatile open-source integration framework based on known Enterprise Integration Patterns. Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arbitrary simple language expressions by including "$simple{}" in a CamelFileName message header to a (1) FILE or (2) FTP producer.	[,2.9.7][2.10.0,2.10.6][2.11.0,2.11.1][2.12.0,2.12.1)

Vulnerability

Vulnerable Version

XML External Entity (XXE) Injection

org.apache.camel:camel-core is a versatile open-source integration framework based on known Enterprise Integration Patterns.

Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query.

[,2.13.3][2.14.0,2.14.1]

XML External Entity (XXE) Injection

org.apache.camel:camel-core is a versatile open-source integration framework based on known Enterprise Integration Patterns.

XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.

[,2.13.3][2.14.0,2.14.1]

Arbitrary Code Execution

org.apache.camel:camel-core is a versatile open-source integration framework based on known Enterprise Integration Patterns.

The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java methods via a crafted message.

[,2.11.3][2.12.0,2.12.2]

Arbitrary File Reading

org.apache.camel:camel-core is a versatile open-source integration framework based on known Enterprise Integration Patterns. The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

[,2.11.3][2.12.0,2.12.2]

Arbitrary Code Injection

org.apache.camel:camel-core is a versatile open-source integration framework based on known Enterprise Integration Patterns.

Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arbitrary simple language expressions by including "$simple{}" in a CamelFileName message header to a (1) FILE or (2) FTP producer.

[,2.9.7][2.10.0,2.10.6][2.11.0,2.11.1][2.12.0,2.12.1)

org.apache.camel:camel-core@2.7.5 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?