You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by ac...@apache.org on 2018/10/19 06:10:07 UTC

[camel] 01/02: Moved Security Advisories documentation to repo

This is an automated email from the ASF dual-hosted git repository.

acosentino pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel.git

commit 231b992fd9fb170401b0cd5b296c35f8c2eac107
Author: Andrea Cosentino <an...@gmail.com>
AuthorDate: Fri Oct 19 08:08:50 2018 +0200

    Moved Security Advisories documentation to repo
---
 docs/user-manual/en/security-advisories.adoc | 55 ++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/docs/user-manual/en/security-advisories.adoc b/docs/user-manual/en/security-advisories.adoc
new file mode 100644
index 0000000..fb871fe
--- /dev/null
+++ b/docs/user-manual/en/security-advisories.adoc
@@ -0,0 +1,55 @@
+[[SecurityAdvisories]]
+### 2017
+
+[CVE-2017-5643](security-advisories/CVE-2017-5643.txt.asc) - Apache
+Camel's Validation Component is vulnerable against SSRF via remote DTDs
+and XXE
+
+[CVE-2017-3159](security-advisories/CVE-2017-3159.txt.asc) - Apache
+Camel's Snakeyaml unmarshalling operation is vulnerable to Remote Code
+Execution attacks
+
+### 2016
+
+[CVE-2016-8749](security-advisories/CVE-2016-8749.txt.asc) - Apache
+Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to
+Remote Code Execution attacks
+
+### 2015
+
+[CVE-2015-5344](security-advisories/CVE-2015-5344.txt.asc) - Apache
+Camel's XStream usage is vulnerable to Remote Code Execution attacks.
+
+[CVE-2015-5348](security-advisories/CVE-2015-5348.txt.asc)
+- Apache Camel's Jetty/Servlet usage is vulnerable to Java object
+de-serialisation vulnerability.
+
+[CVE-2015-0264](security-advisories/CVE-2015-0264.txt.asc)
+- The XPath handling in Apache Camel for invalid XML Strings or invalid
+XML GenericFile objects allows remote attackers to read arbitrary files
+via an XML External Entity (XXE) declaration. The XML External Entity
+(XXE) will be resolved before the Exception is thrown.
+
+[CVE-2015-0263](security-advisories/CVE-2015-0263.txt.asc)
+- The XML converter setup in Apache Camel allows remote attackers to
+read arbitrary files via an SAXSource containing an XML External Entity
+(XXE) declaration.
+
+### 2014
+
+
+[CVE-2014-0003](security-advisories/CVE-2014-0003.txt.asc)
+- The Apache Camel XSLT component allows XSL stylesheets to perform
+calls to external Java methods.
+
+[CVE-2014-0002](security-advisories/CVE-2014-0002.txt.asc)
+- The Apache Camel XSLT component will resolve entities in XML messages
+when transforming them using an xslt route.
+
+### 2013
+
+[CVE-2013-4330](security-advisories/CVE-2013-4330.txt.asc)
+- Writing files using FILE or FTP components, can potentially be
+exploited by a malicious user.
+
+