Apache Camel CVE-2018-8027 XML External Entity Information Disclosure Vulnerability

Apache Camel is prone to an XML External Entity vulnerability.

An attacker can exploit this issue to gain access to sensitive information from the application; this may lead to further attacks.

The following versions are affected:

Apache Camel 2.20.0 through 2.20.3
Apache Camel 2.21.0

Information

Bugtraq ID: 104933
Class: Design Error
CVE: CVE-2018-8027

Remote: Yes
Local: No
Published: Jul 31 2018 12:00AM
Updated: Jul 31 2018 12:00AM
Credit: Karel Jelínek
Vulnerable: Apache Camel 2.21
Apache Camel 2.20.3
Apache Camel 2.20.1
Apache Camel 2.20

Not Vulnerable: Apache Camel 2.21.1
Apache Camel 2.20.4

Exploit

An attacker can exploit this issue using readily available tools.

References:

• Apache Camel Home Page (Apache Software Foundation)
  
• XML Validator - Improve DTD handling (Apache)
  
• XML Validator: Improve DTD handling (Apache)
  
• CVE-2018-8027: Apache Camel's Core is vulnerable to XXE in XSD validation proces (Apache)
  

Source: www.securityfocus.com