It was found that Apache Camel's validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). The vulnerability is not given for SAX or StAX sources.
Find out more about CVE-2017-5643 from the MITRE CVE dictionary dictionary and NIST NVD.
| CVSS3 Base Score | 6.5 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity Impact | Low |
| Availability Impact | None |
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss A-MQ 6.3 | RHSA-2017:1832 | 2017-08-10 |
| Red Hat JBoss Fuse 6.3 | RHSA-2017:1832 | 2017-08-10 |
| Platform | Package | State |
|---|---|---|
| Red Hat OpenShift Enterprise 2 | camel-core | Will not fix |
| Red Hat JBoss Fuse Service Works 6 | camel | Will not fix |
| Red Hat JBoss Enterprise SOA Platform 5 | camel-core | Will not fix |
| Red Hat JBoss Data Grid 6 | camel-core | Will not fix |
| Red Hat JBoss BRMS 5 | camel-core | Will not fix |
Vulmon