CINXE.COM

Security - Apache Camel

<!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width,initial-scale=1"> <link rel="apple-touch-icon-precomposed" sizes="57x57" href="../apple-touch-icon-57x57.png"> <link rel="apple-touch-icon-precomposed" sizes="114x114" href="../apple-touch-icon-114x114.png"> <link rel="apple-touch-icon-precomposed" sizes="72x72" href="../apple-touch-icon-72x72.png"> <link rel="apple-touch-icon-precomposed" sizes="144x144" href="../apple-touch-icon-144x144.png"> <link rel="apple-touch-icon-precomposed" sizes="60x60" href="../apple-touch-icon-60x60.png"> <link rel="apple-touch-icon-precomposed" sizes="120x120" href="../apple-touch-icon-120x120.png"> <link rel="apple-touch-icon-precomposed" sizes="76x76" href="../apple-touch-icon-76x76.png"> <link rel="apple-touch-icon-precomposed" sizes="152x152" href="../apple-touch-icon-152x152.png"> <link rel="icon" type="image/png" href="../favicon-196x196.png" sizes="196x196"> <link rel="icon" type="image/png" href="../favicon-96x96.png" sizes="96x96"> <link rel="icon" type="image/png" href="../favicon-32x32.png" sizes="32x32"> <link rel="icon" type="image/png" href="../favicon-16x16.png" sizes="16x16"> <link rel="icon" type="image/png" href="../favicon-128.png" sizes="128x128"> <meta name="application-name" content="Apache Camel"> <meta property="og:title" content="Security"> <meta property="og:site_name" content="Apache Camel"> <meta property="og:url" content="https://camel.apache.org/security/"> <meta property="og:type" content="website"> <meta property="og:image" content="https://camel.apache.org/_/img/logo-d.svg"> <link rel="manifest" href="../site.webmanifest"> <title>Security - Apache Camel</title> <link rel="canonical" href="https://camel.apache.org/security/"> <link rel="stylesheet" href="../_/css/site-b287b96c63.css"> </head> <body class="article"> <header class="header" aria-label="Header"> <nav class="navbar" aria-label="Main menu"> <div class="navbar-brand"> <a class="nav-logo" href="../" title="Apache Camel"></a> <div id="topbar-nav" class="navbar-menu"> <div class="navbar-end"> <a class="navbar-item-section navbar-item navbar-topics" href="../blog/"> <img alt="Blog" src="../_/img/blog-4c7fa4cb60.svg"> Blog </a> <a class="navbar-item-section navbar-item navbar-topics" href="../docs/"> <img alt="Documentation" src="../_/img/documentation-abb1b7f8b1.svg"> Documentation </a> <a class="navbar-item-section navbar-item navbar-topics" href="../community/"> <img alt="Community" src="../_/img/community-2ec8a3dc8b.svg"> Community </a> <a class="navbar-item-section navbar-item navbar-topics" href="../download/"> <img alt="Download" src="../_/img/download-63cdd75074.svg"> Download </a> <a class="navbar-item-section navbar-item navbar-topics" href="../security/"> <img alt="Security" src="../_/img/security-06abe157b3.svg"> Security </a> </div> </div> <div class="navbar-fill"></div> <div class="break-row"></div> <div class="navbar-search results-hidden"> <input id="search" class="search" placeholder="Search" autocomplete="off"> <img src="/_/img/cancel-1ed239489b.svg" alt="Clear" id="search-cancel"> <div id="search_results"></div> </div> <div class="navbar-tools"> <a rel="noopener noreferrer nofollow" href="https://github.com/apache/camel/" title="Collaborate on GitHub"><svg focusable="false" class="brand-icon"><use href="../_/img/brand-logos-f2e689f4d4.svg#github"/></svg></a> <a rel="noopener noreferrer nofollow" href="https://camel.zulipchat.com" title="Chat on Zulip"><svg focusable="false" class="brand-icon"><use href="../_/img/brand-logos-f2e689f4d4.svg#zulip"/></svg></a> <a rel="noopener noreferrer nofollow" href="https://twitter.com/ApacheCamel" title="Follow Apache Camel on Twitter"><svg focusable="false" class="brand-icon"><use href="../_/img/brand-logos-f2e689f4d4.svg#twitter"/></svg></a> <a rel="noopener noreferrer nofollow" href="https://www.linkedin.com/groups/2447439/" title="Apache Camel group on Linkedin"><svg focusable="false" class="brand-icon"><use href="../_/img/brand-logos-f2e689f4d4.svg#linkedin"/></svg></a> </div> <button class="navbar-burger" data-target="topbar-nav" type="button" aria-label="Menu"> <span></span> <span></span> <span></span> </button> </div> </nav> </header> <a id="top"></a> <div class="body"> <main> <article class="static doc security"> <h1 id="apache-camel-security-information">Apache Camel security information</h1> <h2 id="reporting-new-security-problems-with-apache-camel">Reporting new security problems with Apache Camel</h2> <p>The Apache Software Foundation takes a very active stance in eliminating security problems.</p> <p>We strongly encourage folks to report such problems to the private security mailing list of the ASF Security Team, before disclosing them in a public forum.</p> <p>Please see the <a href="https://www.apache.org/security/" rel="noopener nofollow noreferrer">page of the ASF Security Team</a> for further information and contact information.</p> <h2 id="security-advisories">Security advisories</h2> <div class="table-wrapper"> <table class="tableblock frame-all grid-all stretch"> <caption>Security advisories by year</caption> <thead> <tr> <td>Reference</td> <td>Affected</td> <td>Fixed</td> <td>CVSS score</td> <td>Description</td> </tr> </thead> <tbody> <tr> <th colspan="5" scope="row"><strong>2024</strong></th> </tr> <tr> <td><a href="../security/CVE-2024-22371.html">CVE-2024-22371</a></td> <td>From 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0</td> <td>3.21.4, 3.22.1, 4.0.4 and 4.4.0</td> <td>LOW</td> <td>Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data</td> </tr> <tr> <td><a href="../security/CVE-2024-23114.html">CVE-2024-23114</a></td> <td>From 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.</td> <td>3.21.4, 3.22.1, 4.0.4 and 4.4.0</td> <td>HIGH</td> <td>Apache Camel: Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository</td> </tr> <tr> <td><a href="../security/CVE-2024-22369.html">CVE-2024-22369</a></td> <td>From 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.</td> <td>3.21.4, 3.22.1, 4.0.4 and 4.4.0</td> <td>HIGH</td> <td>Apache Camel: Camel-SQL: Unsafe Deserialization from JDBCAggregationRepository</td> </tr> <tr> <th colspan="5" scope="row"><strong>2023</strong></th> </tr> <tr> <td><a href="../security/CVE-2023-34442.html">CVE-2023-34442</a></td> <td>3.0.0 up to 3.14.8, and 3.18.0 up to 3.18.7, 3.20.0 up to 3.20.5 and 4.0.0-M1 up to 4.0.0-M3</td> <td>3.14.9, 3.18.8, 3.20.6, 3.21.0 and 4.0.0-RC1</td> <td>LOW</td> <td>Temporary File Local Information Disclosure in camel-jira</td> </tr> <tr> <th colspan="5" scope="row"><strong>2022</strong></th> </tr> <tr> <td><a href="../security/CVE-2022-45046.html">CVE-2022-45046</a></td> <td>3.0.0 up to 3.14.5, and 3.15.0 up to 3.18.3, and 3.19.0.</td> <td>3.14.6, 3.18.4</td> <td>MEDIUM</td> <td>LDAP Injection in camel-ldap</td> </tr> <tr> <th colspan="5" scope="row"><strong>2021</strong></th> </tr> <tr> <td colspan="5"><em>No issues reported</em></td> </tr> <tr> <th colspan="5" scope="row"><strong>2020</strong></th> </tr> <tr> <td><a href="../security/CVE-2020-11994.html">CVE-2020-11994</a></td> <td>2.22.x, 2.23.x, 2.24.x, 2.25.0 and 2.25.1, 3.0.0 up to 3.3.0</td> <td>2.25.2, 3.4.0</td> <td>MEDIUM</td> <td>Server-Side Template Injection and arbitrary file disclosure on Camel templating components</td> </tr> <tr> <td><a href="../security/CVE-2020-11973.html">CVE-2020-11973</a></td> <td>2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0</td> <td>2.25.1, 3.2.0</td> <td>MEDIUM</td> <td>Apache Camel Netty enables Java deserialization by default</td> </tr> <tr> <td><a href="../security/CVE-2020-11972.html">CVE-2020-11972</a></td> <td>2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0</td> <td>2.25.1, 3.2.0</td> <td>MEDIUM</td> <td>Apache Camel RabbitMQ enables Java deserialization by default</td> </tr> <tr> <td><a href="../security/CVE-2020-11971.html">CVE-2020-11971</a></td> <td>2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0</td> <td>3.2.0</td> <td>MEDIUM</td> <td>Apache Camel JMX Rebind Flaw Vulnerability</td> </tr> <tr> <th colspan="5" scope="row"><strong>2019</strong></th> </tr> <tr> <td><a href="../security/CVE-2019-0188.html">CVE-2019-0188</a></td> <td>Apache Camel versions prior to 2.24.0</td> <td>2.24.0</td> <td>MEDIUM</td> <td>Apache Camel-XMLJson vulnerable to XML external entity injection (XXE)</td> </tr> <tr> <td><a href="../security/CVE-2019-0194.html">CVE-2019-0194</a></td> <td>2.21.0 up to 2.21.3, 2.22.0 up to 2.22.2, 2.23.0</td> <td>2.21.5, 2.22.3, 2.23.1</td> <td>MEDIUM</td> <td>Apache Camel&#39;s File is vulnerable to directory traversal</td> </tr> <tr> <th colspan="5" scope="row"><strong>2018</strong></th> </tr> <tr> <td><a href="../security/CVE-2018-8041.html">CVE-2018-8041</a></td> <td>2.20.0 up to 2.20.3, 2.21.0 up to 2.21.1, 2.22.0</td> <td>2.20.4, 2.21.1, 2.22.1 and newer</td> <td>MEDIUM</td> <td>Apache Camel&#39;s Mail is vulnerable to path traversal</td> </tr> <tr> <td><a href="../security/CVE-2018-8027.html">CVE-2018-8027</a></td> <td>2.20.0 up to 2.20.3, 2.21.0</td> <td>2.20.4, 2.21.1 and newer</td> <td>MEDIUM</td> <td>Apache Camel&#39;s Core is vulnerable to XXE in XSD validation processor</td> </tr> <tr> <th colspan="5" scope="row"><strong>2017</strong></th> </tr> <tr> <td><a href="../security/CVE-2017-12634.html">CVE-2017-12634</a></td> <td>2.19.0 up to 2.19.3, 2.20.0</td> <td>2.19.4, 2.20.1 and newer</td> <td>MEDIUM</td> <td>Apache Camel&#39;s Castor unmarshalling operation is vulnerable to Remote Code Execution attacks</td> </tr> <tr> <td><a href="../security/CVE-2017-12633.html">CVE-2017-12633</a></td> <td>2.19.0 up to 2.19.3, 2.20.0</td> <td>2.19.4, 2.20.1 and newer</td> <td>MEDIUM</td> <td>Apache Camel&#39;s Hessian unmarshalling operation is vulnerable to Remote Code Execution attacks</td> </tr> <tr> <td><a href="../security/CVE-2016-8749.html">CVE-2016-8749</a></td> <td>2.16.0 up to 2.16.4, 2.17.0 up to 2.17.4, 2.18.0 up to 2.18.1</td> <td>2.16.5, 2.17.5, 2.18.2</td> <td>MEDIUM</td> <td>Apache Camel&#39;s Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks</td> </tr> <tr> <td><a href="../security/CVE-2017-5643.html">CVE-2017-5643</a></td> <td>2.17.0 up to 2.17.5, 2.18.0 up to 2.18.2</td> <td>2.17.6, 2.18.3 and newer</td> <td>MEDIUM</td> <td>Apache Camel&#39;s Validation Component is vulnerable against SSRF via remote DTDs and XXE</td> </tr> <tr> <td><a href="../security/CVE-2017-3159.html">CVE-2017-3159</a></td> <td>2.17.0 up to 2.17.4, 2.18.0 up to 2.18.1</td> <td>2.17.5, 2.18.2 and newer</td> <td>MEDIUM</td> <td>Apache Camel&#39;s Snakeyaml unmarshalling operation is vulnerable to Remote Code Execution attacks</td> </tr> <tr> <th colspan="5" scope="row"><strong>2016</strong></th> </tr> <tr> <td><a href="../security/CVE-2015-5348.html">CVE-2015-5348</a></td> <td>2.15.0 up to 2.15.4, 2.16.0</td> <td>2.15.5, 2.16.1 and newer</td> <td>MEDIUM</td> <td>Apache Camel&#39;s Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability.</td> </tr> <tr> <td><a href="../security/CVE-2015-5344.html">CVE-2015-5344</a></td> <td>2.15.0 up to 2.15.4, 2.16.0</td> <td>2.15.5, 2.16.1 and newer</td> <td>MEDIUM</td> <td>Apache Camel&#39;s XStream usage is vulnerable to Remote Code Execution attacks.</td> </tr> <tr> <th colspan="5" scope="row"><strong>2015</strong></th> </tr> <tr> <td><a href="../security/CVE-2015-0264.html">CVE-2015-0264</a></td> <td>2.13.0 up to 2.13.3, 2.14.0 up to 2.14.1</td> <td>2.13.4, 2.14.2, 2.15.0 and newer</td> <td>MEDIUM</td> <td>The XPath handling in Apache Camel for invalid XML Strings or invalid XML GenericFile objects allows remote attackers to read arbitrary files via an XML External Entity (XXE) declaration. The XML External Entity (XXE) will be resolved before the Exception is thrown.</td> </tr> <tr> <td><a href="../security/CVE-2015-0263.html">CVE-2015-0263</a></td> <td>2.13.0 up to 2.13.3, 2.14.0 up to 2.14.1</td> <td>2.13.4, 2.14.2, 2.15.0 and newer</td> <td>MEDIUM</td> <td>The XML converter setup in Apache Camel allows remote attackers to read arbitrary files via an SAXSource containing an XML External Entity (XXE) declaration.</td> </tr> <tr> <th colspan="5" scope="row"><strong>2014</strong></th> </tr> <tr> <td><a href="../security/CVE-2014-0003.html">CVE-2014-0003</a></td> <td>2.11.0 up to 2.11.3, 2.12.0 up to 2.12.2</td> <td>2.11.4, 2.12.3, 2.13.0 and newer</td> <td>CRITICAL</td> <td>The Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods.</td> </tr> <tr> <td><a href="../security/CVE-2014-0002.html">CVE-2014-0002</a></td> <td>2.11.0 up to 2.11.3, 2.12.0 up to 2.12.2</td> <td>2.11.4, 2.12.3, 2.13.0 and newer</td> <td>CRITICAL</td> <td>The Apache Camel XSLT component will resolve entities in XML messages when transforming them using an xslt route.</td> </tr> <tr> <th colspan="5" scope="row"><strong>2013</strong></th> </tr> <tr> <td><a href="../security/CVE-2013-4330.html">CVE-2013-4330</a></td> <td>2.9.0 up to 2.9.7, 2.10.0 up to 2.10.6, 2.11.0 up to 2.11.1, 2.12.0</td> <td>2.9.8, 2.10.7, 2.11.2, 2.12.1 and newer</td> <td>CRITICAL</td> <td>Writing files using FILE or FTP components, can potentially be exploited by a malicious user.</td> </tr> </tbody> </table> </div> </article> </main> </div> <div class="footer-tools"> <a title="Improve this document, receive free virtual hugs &hearts;" href="https://github.com/apache/camel-website/edit/main/content/security/_index.md">Edit this Page</a> <a href="#top" title="Reach the top of the page">Back to top</a> </div> <footer> <div class="footer"> <figure class="logo"> <img class="logo" src="../_/img/logo-d-a567cee6fa.svg" alt="Apache Camel Logo" aria-label="white silhouette of a camel in front of a sand dune"> </figure> <input id="footer-toggle-overview" type="checkbox" title="Show/Hide Overview section"> <dl> <dt><label for="footer-toggle-overview">Overview</label><label for="footer-toggle-overview">&#65291;</label></dt> <dd><a href="../blog/">Blog</a></dd> <dd><a href="../docs/">Documentation</a></dd> <dd><a href="../community/support/">Community</a></dd> <dd><a href="../download/">Download</a></dd> </dl> <input id="footer-toggle-documentation" type="checkbox" title="Show/Hide Documentation section"> <dl> <dt><label for="footer-toggle-documentation">Documentation</label><label for="footer-toggle-documentation">&#65291;</label></dt> <dd><a href="../manual/">User Manual</a></dd> <dd><a href="../components/next/index.html">Components</a></dd> <dd><a href="../camel-k/next/">Camel-K</a></dd> <dd><a href="../camel-kafka-connector/next/">Camel Kafka Connector</a></dd> <dd><a href="../camel-quarkus/next/">Camel Quarkus</a></dd> <dd><a href="../camel-spring-boot/next/">Camel Spring Boot</a></dd> <dd><a href="../camel-karaf/3.22.x/">Camel Karaf</a></dd> <dd><a href="../manual/faq/index.html">FAQ</a></dd> </dl> <input id="footer-toggle-community" type="checkbox" title="Show/Hide Community section"> <dl> <dt><label for="footer-toggle-community">Community</label><label for="footer-toggle-community">&#65291;</label></dt> <dd><a href="../community/support/">Support</a></dd> <dd><a href="../community/contributing/">Contributing</a></dd> <dd><a href="../community/mailing-list">Mailing Lists</a></dd> <dd><a href="../community/user-stories/">User stories</a></dd> <dd><a href="../community/articles/">Articles</a></dd> <dd><a href="../community/books/">Books</a></dd> <dd><a href="../community/team/">Team</a></dd> </dl> <input id="footer-toggle-about" type="checkbox" title="Show/Hide Acknowledgements section"> <dl> <dt><label for="footer-toggle-about">About</label><label for="footer-toggle-about">&#65291;</label></dt> <dd><a href="../acknowledgments/">Acknowledgments</a></dd> <dd><a target="_blank" rel="noopener noreferrer nofollow" href="https://www.apache.org/events/current-event.html" title="Apache Events">Apache Events</a></dd> <dd><a target="_blank" rel="noopener noreferrer nofollow" href="https://www.apache.org/licenses/" title="License">License</a></dd> <dd><a target="_blank" rel="noopener noreferrer nofollow" href="https://www.apache.org/security/" title="Security">Security</a></dd> <dd><a target="_blank" rel="noopener noreferrer nofollow" href="https://www.apache.org/foundation/sponsorship.html" title="Sponsorship">Sponsorship</a></dd> <dd><a target="_blank" rel="noopener noreferrer nofollow" href="https://www.apache.org/foundation/thanks.html" title="Thanks">Thanks</a></dd> </dl> <p class="remark"> &copy; 2004-2024 The <a href="https://apache.org">Apache Software Foundation</a>.<br> Apache Camel, Camel, Apache, the Apache feather logo, and the Apache Camel project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners. </p> <div class="resources"> <div class="context"> <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a> </div> <div class="context"> <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.apache.org/foundation/policies/conduct">Code of Conduct</a> </div> <div class="context"> <a href="../sitemap/">Sitemap</a> </div> </div> <div class="footer-icons"> <a rel="noopener noreferrer nofollow" href="https://github.com/apache/camel/" title="Collaborate on GitHub"><svg class="brand-icon" focusable="false"><use href="../_/img/brand-logos-f2e689f4d4.svg#github"/></svg></a> <a rel="noopener noreferrer nofollow" href="https://camel.zulipchat.com" title="Chat on Zulip"><svg class="brand-icon" focusable="false"><use href="../_/img/brand-logos-f2e689f4d4.svg#zulip"/></svg></a> <a rel="noopener noreferrer nofollow" href="https://twitter.com/ApacheCamel" title="Follow Apache Camel on Twitter"><svg class="brand-icon" focusable="false"><use href="../_/img/brand-logos-f2e689f4d4.svg#twitter"/></svg></a> <a rel="noopener noreferrer nofollow" href="https://www.linkedin.com/groups/2447439/" title="Apache Camel group on Linkedin"><svg class="brand-icon" focusable="false"><use href="../_/img/brand-logos-f2e689f4d4.svg#linkedin"/></svg></a> </div> </div> </footer> <script src="../_/js/vendor/algoliasearch-bad45193e2.js"></script> <script src="../_/js/site-c215fb6972.js"></script> <script async src="../_/js/vendor/highlight-621a10fe1b.js"></script> <script async src="../_/js/vendor/svg4everybody-a0c573f2b9.js"></script> <script type="application/ld+json"> { "@context": "http://schema.org", "@type": "Organization", "name": "Apache Camel", "url": "https:\/\/camel.apache.org\/" , "sameAs": ["https://twitter.com/ApacheCamel"] , "logo": "https:\/\/camel.apache.org\/_\/img\/logo-d.svg" , "description": "Apache Camel ™ is a versatile open-source integration framework based on known Enterprise Integration Patterns. Camel empowers you to define routing and mediation rules in a variety of domain-specific languages, including a Java-based Fluent API, Spring or Blueprint XML Configuration files, and a Scala DSL." } </script> <script type="application/ld+json"> { "@context": "http://schema.org", "@type": "BreadcrumbList", "itemListElement": [{ "@type": "ListItem", "position": 1 , "item": { "@id": "https://camel.apache.org/", "name": "Apache Camel" } },{ "@type": "ListItem", "position": 2 , "item": { "@id": "https://camel.apache.org/security/", "name": "security" } }] } </script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10