---

title: “Apache Camel Security Advisory - CVE-2015-0264” url: /security/CVE-2015-0264.html date: 2015-06-03T16:59:04.403000 draft: false type: security-advisory cve: CVE-2015-0264 severity: MEDIUM summary: “The XPath handling in Apache Camel for invalid XML Strings or invalid XML GenericFile objects allows remote attackers to read arbitrary files via an XML External Entity (XXE) declaration. The XML External Entity (XXE) will be resolved before the Exception is thrown.” description: “The XPath handling in Apache Camel for invalid XML Strings or invalid XML GenericFile objects allows remote attackers to read arbitrary files via an XML External Entity (XXE) declaration. The XML External Entity (XXE) will be resolved before the Exception is thrown.” mitigation: “2.13.x users should upgrade to 2.13.4, 2.14.x users should upgrade to 2.14.2. This patch will be included from Camel 2.15.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=1df559649a96a1ca0368373387e542f46e4820da” credit: “This issue was discovered by Stephan Siano.” affected: 2.13.0 up to 2.13.3, 2.14.0 up to 2.14.1 fixed: 2.13.4, 2.14.2, 2.15.0 and newer