title: “Apache Camel Security Advisory - CVE-2014-0002” url: /security/CVE-2014-0002.html date: 2014-03-21T00:38:59.027000 draft: false cve: CVE-2014-0002 severity: CRITICAL summary: “The Apache Camel XSLT component will resolve entities in XML messages when transforming them using an xslt route.” description: “The Apache Camel XSLT component will resolve entities in XML messages when transforming them using an xslt route. A remote attacker able to submit messages to an xslt route could use this flaw to read files accessible to the running application server and potentially perform other more advanced XXE attacks.” mitigation: “2.11.x users should upgrade to 2.11.4, 2.12.x users should upgrade to 2.12.3. This patch will be included from Camel 2.13.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=341d4e6cca71c53c90962d1c3d45fc9e05cc50c6” credit: “This issue was discovered by David Jorm.” type: security-advisory affected: 2.11.0 up to 2.11.3, 2.12.0 up to 2.12.2 fixed: 2.11.4, 2.12.3, 2.13.0 and newer
Example: Create a simple route which receives an HTTP request, apply a (safe) stylesheet and store the result in a file:
<to uri="xslt:file:/tmp/transform.xsl" />
<to uri="file:/tmp/output" />
If an attacker is able to submit a message to this route, they can provide a message that is an XML document containing external entities. These entities will be resolved, and their contents included in the output of the transformation performed by the xslt route.