[SECURITY][ERRATA-CORRIGE] New security advisory CVE-2019-0188 released for Apache Camel

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[SECURITY][ERRATA-CORRIGE] New security advisory CVE-2019-0188 released for Apache Camel

Andrea Cosentino-2
A new security advisory has been released for Apache Camel, that is fixed in
the recent 2.24.0 release.

CVE-2019-0188: Apache Camel-XMLJson vulnerable to XML external entity injection (XXE) 

Severity: MEDIUM

Vendor: The Apache Software Foundation

Versions Affected: Apache Camel versions prior to 2.24.0

Description: Apache Camel provided contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed. 

Mitigation: Update to version 2.24.0

Credit: This issue was discovered by Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. 

On behalf of the Apache Camel PMC

Andrea Cosentino 
Apache Camel PMC Chair
Apache Karaf Committer
Apache Servicemix PMC Member
Email: [hidden email]
Twitter: @oscerd2
Github: oscerd