Stephan Siano

**Name of the Vulnerable Software and Affected Versions** Apache Camel versions prior to 2.13.4 Apache Camel versions 2.14.x prior to 2.14.2 **Description** The issue is related to an XML external entity (XXE) vulnerability in the XML converter setup. This allows remote attackers to read arbitrary files via an external entity in an SAXSource. **Recommendations** For versions prior to 2.13.4, update to version 2.13.4 or later. For versions 2.14.x prior to 2.14.2, update to version 2.14.2 or later.

**Name of the Vulnerable Software and Affected Versions** Apache Camel versions prior to 2.13.4 Apache Camel versions 2.14.x prior to 2.14.2 **Description** The issue allows remote attackers to read arbitrary files via an external entity in an invalid XML String or GenericFile object in an XPath query. This is due to multiple XML external entity (XXE) vulnerabilities in the builder/xml/XPathBuilder.java file. **Recommendations** For Apache Camel versions prior to 2.13.4, update to version 2.13.4 or later. For Apache Camel versions 2.14.x prior to 2.14.2, update to version 2.14.2 or later. As a temporary workaround, consider restricting the use of external entities in XPath queries until a patch is available.