title: “Apache Camel Security Advisory - CVE-2017-5643” url: /security/CVE-2017-5643.html date: 2017-03-16T11:59:00.947000 draft: false type: security-advisory cve: CVE-2017-5643 severity: MEDIUM summary: “Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE” description: “The Validation Component of Apache Camel evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). The vulnerability is not given for SAX or StAX sources.” mitigation: “2.17.x users should upgrade to 2.17.6, 2.18.x users should upgrade to 2.18.3.” credit: “This issue was discovered by Franz Forsthofer” affected: 2.17.0 up to 2.17.5, 2.18.0 up to 2.18.2 fixed: 2.17.6, 2.18.3 and newer

The JIRA tickets https://issues.apache.org/jira/browse/CAMEL-10894 refers to the various commits that resolved the issue, and have more details.