CVE-2015-0263: Apache Camel XML External Entity vulnerability
5
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.87293%
CWE
Published
10/16/2018
Updated
12/19/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:P/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.camel:camel-core | maven | < 2.13.4 | 2.13.4 |
org.apache.camel:camel-core | maven | >= 2.14.0, < 2.14.2 | 2.14.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the absence of the 'setFeature("http://xml.org/sax/features/external-general-entities", false)' call in the SAXParserFactory
configuration within toSAXSourceFromStream
. The GitHub patch explicitly adds this security measure to disable external entity processing. The CWE-611 mapping and commit message confirming the XXE fix further validate()
this as the root cause. The test file modification in XsltDTDTest.java
appears to validate()
the fix rather than introduce vulnerability.