Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel. This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0. Users are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4 or 4.4.0, which fixes the issue.
Apache Camel contains an XML external entity injection vulnerability due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed.
Apache Camel's File is vulnerable to directory traversal.
Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.
Apache Camel Mail is vulnerable to path traversal.
This package is vulnerable against SSRF via remote DTDs and XXE.
Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in this package allow remote attackers to read arbitrary files via an external entity in an invalid XML String or GenericFile object in an XPath query.
XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in this package allows remote attackers to read arbitrary files via an external entity in an SAXSource.
The XSLT component in this package allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
The XSLT component in this package allows remote attackers to execute arbitrary Java methods via a crafted message.
This package allows remote attackers to execute arbitrary simple language expressions by including $simple{} in a CamelFileName message header to a FILE or FTP producer.