CVE-2015-0264

Name of the Vulnerable Software and Affected Versions Apache Camel versions prior to 2.13.4 Apache Camel versions 2.14.x prior to 2.14.2

Description The issue allows remote attackers to read arbitrary files via an external entity in an invalid XML String or GenericFile object in an XPath query. This is due to multiple XML external entity (XXE) vulnerabilities in the builder/xml/XPathBuilder.java file.

Recommendations For Apache Camel versions prior to 2.13.4, update to version 2.13.4 or later. For Apache Camel versions 2.14.x prior to 2.14.2, update to version 2.14.2 or later. As a temporary workaround, consider restricting the use of external entities in XPath queries until a patch is available.