Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2015-0264 (GCVE-0-2015-0264)
Vulnerability from cvelistv5
Published
2015-06-03 20:00
Modified
2024-08-06 04:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:03:10.739Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2015:1539",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1539.html"
},
{
"name": "1032442",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id/1032442"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://git-wip-us.apache.org/repos/asf?p=camel.git%3Ba=commitdiff%3Bh=1df559649a96a1ca0368373387e542f46e4820da"
},
{
"name": "RHSA-2015:1041",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1041.html"
},
{
"name": "RHSA-2015:1538",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1538.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-24T10:06:04",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2015:1539",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1539.html"
},
{
"name": "1032442",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id/1032442"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://git-wip-us.apache.org/repos/asf?p=camel.git%3Ba=commitdiff%3Bh=1df559649a96a1ca0368373387e542f46e4820da"
},
{
"name": "RHSA-2015:1041",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1041.html"
},
{
"name": "RHSA-2015:1538",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1538.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-0264",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2015:1539",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1539.html"
},
{
"name": "1032442",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id/1032442"
},
{
"name": "https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=1df559649a96a1ca0368373387e542f46e4820da",
"refsource": "CONFIRM",
"url": "https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=1df559649a96a1ca0368373387e542f46e4820da"
},
{
"name": "RHSA-2015:1041",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1041.html"
},
{
"name": "RHSA-2015:1538",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1538.html"
},
{
"name": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc",
"refsource": "CONFIRM",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-0264",
"datePublished": "2015-06-03T20:00:00",
"dateReserved": "2014-11-18T00:00:00",
"dateUpdated": "2024-08-06T04:03:10.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2015-0264\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2015-06-03T20:59:04.403\",\"lastModified\":\"2025-04-12T10:46:40.837\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query.\"},{\"lang\":\"es\",\"value\":\"M\u00faltiples vulnerabilidades de entidad externa XML (XXE) en builder/xml/XPathBuilder.java en Apache Camel anterior a 2.13.4 y 2.14.x anterior a 2.14.2 permiten a atacantes remotos leer ficheros arbitrarios a trav\u00e9s de una entidad externa en un objeto XML (1) String o (2) GenericFile inv\u00e1lido en una consulta XPath.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.13.3\",\"matchCriteriaId\":\"3E65DC32-33D4-46FB-97AD-0ACF0DDF6E00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:camel:2.14.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BF8F319C-1212-4787-A1E8-15D576527EF2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:camel:2.14.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"17E12D85-196F-4723-A4EC-7DC900087AC5\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-1041.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-1538.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-1539.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://securitytracker.com/id/1032442\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://git-wip-us.apache.org/repos/asf?p=camel.git%3Ba=commitdiff%3Bh=1df559649a96a1ca0368373387e542f46e4820da\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-1041.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-1538.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-1539.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://securitytracker.com/id/1032442\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://git-wip-us.apache.org/repos/asf?p=camel.git%3Ba=commitdiff%3Bh=1df559649a96a1ca0368373387e542f46e4820da\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}],\"evaluatorComment\":\"\u003ca href=\\\"http://cwe.mitre.org/data/definitions/611.html\\\"\u003eCWE-611: Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)\u003c/a\u003e\"}}"
}
}
ghsa-mhx2-r3jx-g94c
Vulnerability from github
Published
2018-10-16 23:09
Modified
2022-11-17 19:39
VLAI Severity ?
Summary
Apache Camel allows remote actor to read arbitrary files via external entity in invalid XML string or GenericFile object
Details
Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.camel:camel-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.13.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.camel:camel-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.14.0"
},
{
"fixed": "2.14.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-0264"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:46:27Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query.",
"id": "GHSA-mhx2-r3jx-g94c",
"modified": "2022-11-17T19:39:36Z",
"published": "2018-10-16T23:09:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264"
},
{
"type": "WEB",
"url": "https://github.com/apache/camel/commit/7360aada5154434c68774aa30e0f21ddc5f27b9f"
},
{
"type": "WEB",
"url": "https://github.com/apache/camel/commit/b47b51a195b38e7ab7c099d19910af70a16638f6"
},
{
"type": "WEB",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc"
},
{
"type": "WEB",
"url": "https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=1df559649a96a1ca0368373387e542f46e4820da"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-mhx2-r3jx-g94c"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/camel"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/CAMEL-8312"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1041.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1538.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1539.html"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id/1032442"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Apache Camel allows remote actor to read arbitrary files via external entity in invalid XML string or GenericFile object"
}
RHSA-2015:1538
Vulnerability from csaf_redhat
Published
2015-08-03 19:41
Modified
2025-09-10 14:08
Summary
Red Hat Security Advisory: Red Hat JBoss BRMS 6.1.2 update
Notes
Topic
Red Hat JBoss BRMS 6.1.2, which fixes two security issues, several bugs,
and adds various enhancements, is now available from the Red Hat
Customer Portal.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss BRMS is a business rules management system for the
management, storage, creation, modification, and deployment of JBoss Rules.
This release of Red Hat JBoss BRMS 6.1.2 serves as a replacement for Red
Hat JBoss BRMS 6.1.0, and includes bug fixes and enhancements, which are
documented in the README.txt file included with the patch files.
The following security issues are also fixed with this release:
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
All users of Red Hat JBoss BRMS 6.1.0 as provided from the Red Hat Customer
Portal are advised to upgrade to Red Hat JBoss BRMS 6.1.2.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss BRMS 6.1.2, which fixes two security issues, several bugs,\nand adds various enhancements, is now available from the Red Hat\nCustomer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss BRMS is a business rules management system for the\nmanagement, storage, creation, modification, and deployment of JBoss Rules.\n\nThis release of Red Hat JBoss BRMS 6.1.2 serves as a replacement for Red\nHat JBoss BRMS 6.1.0, and includes bug fixes and enhancements, which are\ndocumented in the README.txt file included with the patch files.\n\nThe following security issues are also fixed with this release:\n\nIt was found that Apache Camel\u0027s XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nAll users of Red Hat JBoss BRMS 6.1.0 as provided from the Red Hat Customer\nPortal are advised to upgrade to Red Hat JBoss BRMS 6.1.2.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:1538",
"url": "https://access.redhat.com/errata/RHSA-2015:1538"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=6.1.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=6.1.0"
},
{
"category": "external",
"summary": "1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1538.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss BRMS 6.1.2 update",
"tracking": {
"current_release_date": "2025-09-10T14:08:00+00:00",
"generator": {
"date": "2025-09-10T14:08:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.7"
}
},
"id": "RHSA-2015:1538",
"initial_release_date": "2015-08-03T19:41:41+00:00",
"revision_history": [
{
"date": "2015-08-03T19:41:41+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:36:20+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-09-10T14:08:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss BRMS 6.0",
"product": {
"name": "Red Hat JBoss BRMS 6.0",
"product_id": "Red Hat JBoss BRMS 6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_brms:6.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat Decision Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-0263",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203344"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel\u0027s XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE in via SAXSource expansion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0263"
},
{
"category": "external",
"summary": "RHBZ#1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0263",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0263"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-08-03T19:41:41+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss BRMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1538"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BRMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE in via SAXSource expansion"
},
{
"cve": "CVE-2015-0264",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203341"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE via XPath expression evaluation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0264"
},
{
"category": "external",
"summary": "RHBZ#1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-08-03T19:41:41+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss BRMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1538"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BRMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE via XPath expression evaluation"
}
]
}
rhsa-2015_1538
Vulnerability from csaf_redhat
Published
2015-08-03 19:41
Modified
2024-11-22 09:21
Summary
Red Hat Security Advisory: Red Hat JBoss BRMS 6.1.2 update
Notes
Topic
Red Hat JBoss BRMS 6.1.2, which fixes two security issues, several bugs,
and adds various enhancements, is now available from the Red Hat
Customer Portal.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss BRMS is a business rules management system for the
management, storage, creation, modification, and deployment of JBoss Rules.
This release of Red Hat JBoss BRMS 6.1.2 serves as a replacement for Red
Hat JBoss BRMS 6.1.0, and includes bug fixes and enhancements, which are
documented in the README.txt file included with the patch files.
The following security issues are also fixed with this release:
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
All users of Red Hat JBoss BRMS 6.1.0 as provided from the Red Hat Customer
Portal are advised to upgrade to Red Hat JBoss BRMS 6.1.2.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss BRMS 6.1.2, which fixes two security issues, several bugs,\nand adds various enhancements, is now available from the Red Hat\nCustomer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss BRMS is a business rules management system for the\nmanagement, storage, creation, modification, and deployment of JBoss Rules.\n\nThis release of Red Hat JBoss BRMS 6.1.2 serves as a replacement for Red\nHat JBoss BRMS 6.1.0, and includes bug fixes and enhancements, which are\ndocumented in the README.txt file included with the patch files.\n\nThe following security issues are also fixed with this release:\n\nIt was found that Apache Camel\u0027s XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nAll users of Red Hat JBoss BRMS 6.1.0 as provided from the Red Hat Customer\nPortal are advised to upgrade to Red Hat JBoss BRMS 6.1.2.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:1538",
"url": "https://access.redhat.com/errata/RHSA-2015:1538"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=6.1.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=6.1.0"
},
{
"category": "external",
"summary": "1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1538.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss BRMS 6.1.2 update",
"tracking": {
"current_release_date": "2024-11-22T09:21:41+00:00",
"generator": {
"date": "2024-11-22T09:21:41+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2015:1538",
"initial_release_date": "2015-08-03T19:41:41+00:00",
"revision_history": [
{
"date": "2015-08-03T19:41:41+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:36:20+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T09:21:41+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss BRMS 6.0",
"product": {
"name": "Red Hat JBoss BRMS 6.0",
"product_id": "Red Hat JBoss BRMS 6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_brms:6.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat Decision Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-0263",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203344"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel\u0027s XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE in via SAXSource expansion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0263"
},
{
"category": "external",
"summary": "RHBZ#1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0263",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0263"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-08-03T19:41:41+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss BRMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1538"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BRMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE in via SAXSource expansion"
},
{
"cve": "CVE-2015-0264",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203341"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE via XPath expression evaluation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0264"
},
{
"category": "external",
"summary": "RHBZ#1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-08-03T19:41:41+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss BRMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1538"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BRMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE via XPath expression evaluation"
}
]
}
rhsa-2015:1538
Vulnerability from csaf_redhat
Published
2015-08-03 19:41
Modified
2025-09-10 14:08
Summary
Red Hat Security Advisory: Red Hat JBoss BRMS 6.1.2 update
Notes
Topic
Red Hat JBoss BRMS 6.1.2, which fixes two security issues, several bugs,
and adds various enhancements, is now available from the Red Hat
Customer Portal.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss BRMS is a business rules management system for the
management, storage, creation, modification, and deployment of JBoss Rules.
This release of Red Hat JBoss BRMS 6.1.2 serves as a replacement for Red
Hat JBoss BRMS 6.1.0, and includes bug fixes and enhancements, which are
documented in the README.txt file included with the patch files.
The following security issues are also fixed with this release:
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
All users of Red Hat JBoss BRMS 6.1.0 as provided from the Red Hat Customer
Portal are advised to upgrade to Red Hat JBoss BRMS 6.1.2.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss BRMS 6.1.2, which fixes two security issues, several bugs,\nand adds various enhancements, is now available from the Red Hat\nCustomer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss BRMS is a business rules management system for the\nmanagement, storage, creation, modification, and deployment of JBoss Rules.\n\nThis release of Red Hat JBoss BRMS 6.1.2 serves as a replacement for Red\nHat JBoss BRMS 6.1.0, and includes bug fixes and enhancements, which are\ndocumented in the README.txt file included with the patch files.\n\nThe following security issues are also fixed with this release:\n\nIt was found that Apache Camel\u0027s XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nAll users of Red Hat JBoss BRMS 6.1.0 as provided from the Red Hat Customer\nPortal are advised to upgrade to Red Hat JBoss BRMS 6.1.2.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:1538",
"url": "https://access.redhat.com/errata/RHSA-2015:1538"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=6.1.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=6.1.0"
},
{
"category": "external",
"summary": "1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1538.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss BRMS 6.1.2 update",
"tracking": {
"current_release_date": "2025-09-10T14:08:00+00:00",
"generator": {
"date": "2025-09-10T14:08:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.7"
}
},
"id": "RHSA-2015:1538",
"initial_release_date": "2015-08-03T19:41:41+00:00",
"revision_history": [
{
"date": "2015-08-03T19:41:41+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:36:20+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-09-10T14:08:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss BRMS 6.0",
"product": {
"name": "Red Hat JBoss BRMS 6.0",
"product_id": "Red Hat JBoss BRMS 6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_brms:6.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat Decision Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-0263",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203344"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel\u0027s XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE in via SAXSource expansion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0263"
},
{
"category": "external",
"summary": "RHBZ#1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0263",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0263"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-08-03T19:41:41+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss BRMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1538"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BRMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE in via SAXSource expansion"
},
{
"cve": "CVE-2015-0264",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203341"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE via XPath expression evaluation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0264"
},
{
"category": "external",
"summary": "RHBZ#1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-08-03T19:41:41+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss BRMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1538"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BRMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE via XPath expression evaluation"
}
]
}
rhsa-2015_1041
Vulnerability from csaf_redhat
Published
2015-06-01 17:08
Modified
2024-11-22 09:21
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.1.0 update
Notes
Topic
Red Hat JBoss Fuse and A-MQ 6.1.0 Patch 4 on Rollup Patch 2 (R2P4), which
fixes two security issues, several bugs, and adds various enhancements, is
now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant
messaging system that is tailored for use in mission critical applications.
This patch is an update to Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ
6.1.0. It includes several bug fixes, which are documented in the
readme.txt file included with the patch files. The following security
issues are addressed in this release:
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
Refer to the readme.txt file included with the patch files for
installation instructions.
All users of Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ 6.1.0 as
provided from the Red Hat Customer Portal are advised to apply this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss Fuse and A-MQ 6.1.0 Patch 4 on Rollup Patch 2 (R2P4), which\nfixes two security issues, several bugs, and adds various enhancements, is\nnow available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,\nflexible, open source enterprise service bus and integration platform.\nRed Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant\nmessaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ\n6.1.0. It includes several bug fixes, which are documented in the\nreadme.txt file included with the patch files. The following security\nissues are addressed in this release:\n\nIt was found that Apache Camel\u0027s XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nRefer to the readme.txt file included with the patch files for\ninstallation instructions.\n\nAll users of Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ 6.1.0 as\nprovided from the Red Hat Customer Portal are advised to apply this update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:1041",
"url": "https://access.redhat.com/errata/RHSA-2015:1041"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=securityPatches\u0026version=6.1.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=securityPatches\u0026version=6.1.0"
},
{
"category": "external",
"summary": "1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1041.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.1.0 update",
"tracking": {
"current_release_date": "2024-11-22T09:21:36+00:00",
"generator": {
"date": "2024-11-22T09:21:36+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2015:1041",
"initial_release_date": "2015-06-01T17:08:08+00:00",
"revision_history": [
{
"date": "2015-06-01T17:08:08+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:35:43+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T09:21:36+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss A-MQ 6.1",
"product": {
"name": "Red Hat JBoss A-MQ 6.1",
"product_id": "Red Hat JBoss A-MQ 6.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_amq:6.1.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Fuse 6.1",
"product": {
"name": "Red Hat JBoss Fuse 6.1",
"product_id": "Red Hat JBoss Fuse 6.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_fuse:6.1.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Fuse"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-0263",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203344"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel\u0027s XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE in via SAXSource expansion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.1",
"Red Hat JBoss Fuse 6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0263"
},
{
"category": "external",
"summary": "RHBZ#1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0263",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0263"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-06-01T17:08:08+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.1",
"Red Hat JBoss Fuse 6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1041"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss A-MQ 6.1",
"Red Hat JBoss Fuse 6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE in via SAXSource expansion"
},
{
"cve": "CVE-2015-0264",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203341"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE via XPath expression evaluation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.1",
"Red Hat JBoss Fuse 6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0264"
},
{
"category": "external",
"summary": "RHBZ#1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-06-01T17:08:08+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.1",
"Red Hat JBoss Fuse 6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1041"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss A-MQ 6.1",
"Red Hat JBoss Fuse 6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE via XPath expression evaluation"
}
]
}
RHSA-2015:1041
Vulnerability from csaf_redhat
Published
2015-06-01 17:08
Modified
2025-09-10 14:07
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.1.0 update
Notes
Topic
Red Hat JBoss Fuse and A-MQ 6.1.0 Patch 4 on Rollup Patch 2 (R2P4), which
fixes two security issues, several bugs, and adds various enhancements, is
now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant
messaging system that is tailored for use in mission critical applications.
This patch is an update to Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ
6.1.0. It includes several bug fixes, which are documented in the
readme.txt file included with the patch files. The following security
issues are addressed in this release:
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
Refer to the readme.txt file included with the patch files for
installation instructions.
All users of Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ 6.1.0 as
provided from the Red Hat Customer Portal are advised to apply this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss Fuse and A-MQ 6.1.0 Patch 4 on Rollup Patch 2 (R2P4), which\nfixes two security issues, several bugs, and adds various enhancements, is\nnow available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,\nflexible, open source enterprise service bus and integration platform.\nRed Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant\nmessaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ\n6.1.0. It includes several bug fixes, which are documented in the\nreadme.txt file included with the patch files. The following security\nissues are addressed in this release:\n\nIt was found that Apache Camel\u0027s XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nRefer to the readme.txt file included with the patch files for\ninstallation instructions.\n\nAll users of Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ 6.1.0 as\nprovided from the Red Hat Customer Portal are advised to apply this update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:1041",
"url": "https://access.redhat.com/errata/RHSA-2015:1041"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=securityPatches\u0026version=6.1.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=securityPatches\u0026version=6.1.0"
},
{
"category": "external",
"summary": "1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1041.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.1.0 update",
"tracking": {
"current_release_date": "2025-09-10T14:07:09+00:00",
"generator": {
"date": "2025-09-10T14:07:09+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.7"
}
},
"id": "RHSA-2015:1041",
"initial_release_date": "2015-06-01T17:08:08+00:00",
"revision_history": [
{
"date": "2015-06-01T17:08:08+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:35:43+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-09-10T14:07:09+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss A-MQ 6.1",
"product": {
"name": "Red Hat JBoss A-MQ 6.1",
"product_id": "Red Hat JBoss A-MQ 6.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_amq:6.1.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Fuse 6.1",
"product": {
"name": "Red Hat JBoss Fuse 6.1",
"product_id": "Red Hat JBoss Fuse 6.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_fuse:6.1.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Fuse"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-0263",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203344"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel\u0027s XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE in via SAXSource expansion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.1",
"Red Hat JBoss Fuse 6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0263"
},
{
"category": "external",
"summary": "RHBZ#1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0263",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0263"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-06-01T17:08:08+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.1",
"Red Hat JBoss Fuse 6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1041"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss A-MQ 6.1",
"Red Hat JBoss Fuse 6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE in via SAXSource expansion"
},
{
"cve": "CVE-2015-0264",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203341"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE via XPath expression evaluation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.1",
"Red Hat JBoss Fuse 6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0264"
},
{
"category": "external",
"summary": "RHBZ#1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-06-01T17:08:08+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.1",
"Red Hat JBoss Fuse 6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1041"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss A-MQ 6.1",
"Red Hat JBoss Fuse 6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE via XPath expression evaluation"
}
]
}
rhsa-2015:1539
Vulnerability from csaf_redhat
Published
2015-08-03 19:41
Modified
2025-09-10 14:08
Summary
Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.1.2 update
Notes
Topic
Red Hat JBoss BPM Suite 6.1.2, which fixes three security issues, several
bugs, and adds various enhancements, is now available from the Red Hat
Customer Portal.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss BPM Suite is a business rules and processes management system
for the management, storage, creation, modification, and deployment of
JBoss rules and BPMN2-compliant business processes.
This release of Red Hat JBoss BPM Suite 6.1.2 serves as a replacement for
Red Hat JBoss BPM Suite 6.1.0, and includes bug fixes and enhancements,
which are documented in the README.txt file included with the patch files.
The following security issues are also fixed with this release:
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
A flaw was found in the dashbuilder import facility: the DocumentBuilders
instantiated in org.jboss.dashboard.export.ImportManagerImpl did not
disable external entities. This could allow an attacker to perform a
variety of XML External Entity (XXE) and Server-Side Request Forgery (SSRF)
attacks. (CVE-2015-1818)
Red Hat would like to thank David Jorm of IIX Product Security for
reporting the CVE-2015-1818 issue.
All users of Red Hat JBoss BPM Suite 6.1.0 as provided from the Red Hat
Customer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.1.2.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss BPM Suite 6.1.2, which fixes three security issues, several\nbugs, and adds various enhancements, is now available from the Red Hat\nCustomer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss BPM Suite is a business rules and processes management system\nfor the management, storage, creation, modification, and deployment of\nJBoss rules and BPMN2-compliant business processes.\n\nThis release of Red Hat JBoss BPM Suite 6.1.2 serves as a replacement for\nRed Hat JBoss BPM Suite 6.1.0, and includes bug fixes and enhancements,\nwhich are documented in the README.txt file included with the patch files.\n\nThe following security issues are also fixed with this release:\n\nIt was found that Apache Camel\u0027s XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nA flaw was found in the dashbuilder import facility: the DocumentBuilders\ninstantiated in org.jboss.dashboard.export.ImportManagerImpl did not\ndisable external entities. This could allow an attacker to perform a\nvariety of XML External Entity (XXE) and Server-Side Request Forgery (SSRF)\nattacks. (CVE-2015-1818)\n\nRed Hat would like to thank David Jorm of IIX Product Security for\nreporting the CVE-2015-1818 issue.\n\nAll users of Red Hat JBoss BPM Suite 6.1.0 as provided from the Red Hat\nCustomer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.1.2.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:1539",
"url": "https://access.redhat.com/errata/RHSA-2015:1539"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite\u0026downloadType=securityPatches\u0026version=6.1.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite\u0026downloadType=securityPatches\u0026version=6.1.0"
},
{
"category": "external",
"summary": "1201714",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1201714"
},
{
"category": "external",
"summary": "1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1539.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.1.2 update",
"tracking": {
"current_release_date": "2025-09-10T14:08:03+00:00",
"generator": {
"date": "2025-09-10T14:08:03+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.7"
}
},
"id": "RHSA-2015:1539",
"initial_release_date": "2015-08-03T19:41:04+00:00",
"revision_history": [
{
"date": "2015-08-03T19:41:04+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:35:41+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-09-10T14:08:03+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss BPMS 6.0",
"product": {
"name": "Red Hat JBoss BPMS 6.0",
"product_id": "Red Hat JBoss BPMS 6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_bpms:6.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat Process Automation Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-0263",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203344"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel\u0027s XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE in via SAXSource expansion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0263"
},
{
"category": "external",
"summary": "RHBZ#1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0263",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0263"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-08-03T19:41:04+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1539"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE in via SAXSource expansion"
},
{
"cve": "CVE-2015-0264",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203341"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE via XPath expression evaluation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0264"
},
{
"category": "external",
"summary": "RHBZ#1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-08-03T19:41:04+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1539"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE via XPath expression evaluation"
},
{
"acknowledgments": [
{
"names": [
"David Jorm"
],
"organization": "IIX Product Security"
}
],
"cve": "CVE-2015-1818",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1201714"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the dashbuilder import facility: the DocumentBuilders instantiated in org.jboss.dashboard.export.ImportManagerImpl did not disable external entities. This could allow an attacker to perform a variety of XML External Entity (XXE) and Server-Side Request Forgery (SSRF) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "dashbuilder: XXE/SSRF vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-1818"
},
{
"category": "external",
"summary": "RHBZ#1201714",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1201714"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-1818",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-1818"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-1818",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1818"
}
],
"release_date": "2015-03-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-08-03T19:41:04+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1539"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "dashbuilder: XXE/SSRF vulnerability"
}
]
}
rhsa-2015:2558
Vulnerability from csaf_redhat
Published
2015-12-07 20:46
Modified
2025-09-10 14:09
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse Service Works 6.2.1 update
Notes
Topic
Red Hat JBoss Fuse Service Works 6.2.1, which fixes three security issues
and various bugs, is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss Fuse Service Works is the next-generation ESB and business
process automation infrastructure.
This release of Red Hat JBoss Fuse Service Works 6.2.1 serves as a
replacement for Red Hat JBoss Fuse Service Works 6.0.0. It includes various
bug fixes, which are listed in the README file included with the patch
files.
The following security issues are fixed with this release:
A flaw was discovered that when an application uses Groovy (has it on the
classpath) and uses the standard Java serialization mechanism, an attacker
can bake a special serialized object that executes code directly when
deserialized. All applications which rely on serialization and do not
isolate the code which deserializes objects are subject to this
vulnerability. (CVE-2015-3253)
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
All users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the
Red Hat Customer Portal are advised to apply this security update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss Fuse Service Works 6.2.1, which fixes three security issues\nand various bugs, is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Fuse Service Works is the next-generation ESB and business\nprocess automation infrastructure.\n\nThis release of Red Hat JBoss Fuse Service Works 6.2.1 serves as a\nreplacement for Red Hat JBoss Fuse Service Works 6.0.0. It includes various\nbug fixes, which are listed in the README file included with the patch\nfiles.\n\nThe following security issues are fixed with this release:\n\nA flaw was discovered that when an application uses Groovy (has it on the\nclasspath) and uses the standard Java serialization mechanism, an attacker\ncan bake a special serialized object that executes code directly when\ndeserialized. All applications which rely on serialization and do not\nisolate the code which deserializes objects are subject to this\nvulnerability. (CVE-2015-3253)\n\nIt was found that Apache Camel\u0027s XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nAll users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the\nRed Hat Customer Portal are advised to apply this security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:2558",
"url": "https://access.redhat.com/errata/RHSA-2015:2558"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks\u0026downloadType=distributions\u0026version=6.2.1",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks\u0026downloadType=distributions\u0026version=6.2.1"
},
{
"category": "external",
"summary": "1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "external",
"summary": "1243934",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1243934"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2558.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Fuse Service Works 6.2.1 update",
"tracking": {
"current_release_date": "2025-09-10T14:09:43+00:00",
"generator": {
"date": "2025-09-10T14:09:43+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.7"
}
},
"id": "RHSA-2015:2558",
"initial_release_date": "2015-12-07T20:46:48+00:00",
"revision_history": [
{
"date": "2015-12-07T20:46:48+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:38:27+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-09-10T14:09:43+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Fuse Service Works 6.2",
"product": {
"name": "Red Hat JBoss Fuse Service Works 6.2",
"product_id": "Red Hat JBoss Fuse Service Works 6.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6.2"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Fuse Service Works"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-0263",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203344"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel\u0027s XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE in via SAXSource expansion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse Service Works 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0263"
},
{
"category": "external",
"summary": "RHBZ#1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0263",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0263"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-12-07T20:46:48+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Fuse Service Works 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2558"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse Service Works 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE in via SAXSource expansion"
},
{
"cve": "CVE-2015-0264",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203341"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE via XPath expression evaluation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse Service Works 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0264"
},
{
"category": "external",
"summary": "RHBZ#1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-12-07T20:46:48+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Fuse Service Works 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2558"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse Service Works 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE via XPath expression evaluation"
},
{
"cve": "CVE-2015-3253",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2015-07-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1243934"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism. A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "groovy: remote execution of untrusted code in class MethodClosure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse Service Works 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-3253"
},
{
"category": "external",
"summary": "RHBZ#1243934",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1243934"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-3253",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-3253"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-3253",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3253"
},
{
"category": "external",
"summary": "http://seclists.org/oss-sec/2015/q3/121",
"url": "http://seclists.org/oss-sec/2015/q3/121"
}
],
"release_date": "2015-07-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-12-07T20:46:48+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Fuse Service Works 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2558"
},
{
"category": "workaround",
"details": "Apply the following patch on the MethodClosure class (src/main/org/codehaus/groovy/runtime/MethodClosure.java):\n\n public class MethodClosure extends Closure {\n + private Object readResolve() {\n + throw new UnsupportedOperationException();\n + \n }\n\nAlternatively, you should make sure to use a custom security policy file (using the standard Java security manager) or make sure that you do not rely on serialization to communicate remotely.",
"product_ids": [
"Red Hat JBoss Fuse Service Works 6.2"
]
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse Service Works 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "groovy: remote execution of untrusted code in class MethodClosure"
}
]
}
RHSA-2015:1539
Vulnerability from csaf_redhat
Published
2015-08-03 19:41
Modified
2025-09-10 14:08
Summary
Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.1.2 update
Notes
Topic
Red Hat JBoss BPM Suite 6.1.2, which fixes three security issues, several
bugs, and adds various enhancements, is now available from the Red Hat
Customer Portal.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss BPM Suite is a business rules and processes management system
for the management, storage, creation, modification, and deployment of
JBoss rules and BPMN2-compliant business processes.
This release of Red Hat JBoss BPM Suite 6.1.2 serves as a replacement for
Red Hat JBoss BPM Suite 6.1.0, and includes bug fixes and enhancements,
which are documented in the README.txt file included with the patch files.
The following security issues are also fixed with this release:
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
A flaw was found in the dashbuilder import facility: the DocumentBuilders
instantiated in org.jboss.dashboard.export.ImportManagerImpl did not
disable external entities. This could allow an attacker to perform a
variety of XML External Entity (XXE) and Server-Side Request Forgery (SSRF)
attacks. (CVE-2015-1818)
Red Hat would like to thank David Jorm of IIX Product Security for
reporting the CVE-2015-1818 issue.
All users of Red Hat JBoss BPM Suite 6.1.0 as provided from the Red Hat
Customer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.1.2.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss BPM Suite 6.1.2, which fixes three security issues, several\nbugs, and adds various enhancements, is now available from the Red Hat\nCustomer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss BPM Suite is a business rules and processes management system\nfor the management, storage, creation, modification, and deployment of\nJBoss rules and BPMN2-compliant business processes.\n\nThis release of Red Hat JBoss BPM Suite 6.1.2 serves as a replacement for\nRed Hat JBoss BPM Suite 6.1.0, and includes bug fixes and enhancements,\nwhich are documented in the README.txt file included with the patch files.\n\nThe following security issues are also fixed with this release:\n\nIt was found that Apache Camel\u0027s XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nA flaw was found in the dashbuilder import facility: the DocumentBuilders\ninstantiated in org.jboss.dashboard.export.ImportManagerImpl did not\ndisable external entities. This could allow an attacker to perform a\nvariety of XML External Entity (XXE) and Server-Side Request Forgery (SSRF)\nattacks. (CVE-2015-1818)\n\nRed Hat would like to thank David Jorm of IIX Product Security for\nreporting the CVE-2015-1818 issue.\n\nAll users of Red Hat JBoss BPM Suite 6.1.0 as provided from the Red Hat\nCustomer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.1.2.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:1539",
"url": "https://access.redhat.com/errata/RHSA-2015:1539"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite\u0026downloadType=securityPatches\u0026version=6.1.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite\u0026downloadType=securityPatches\u0026version=6.1.0"
},
{
"category": "external",
"summary": "1201714",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1201714"
},
{
"category": "external",
"summary": "1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1539.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.1.2 update",
"tracking": {
"current_release_date": "2025-09-10T14:08:03+00:00",
"generator": {
"date": "2025-09-10T14:08:03+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.7"
}
},
"id": "RHSA-2015:1539",
"initial_release_date": "2015-08-03T19:41:04+00:00",
"revision_history": [
{
"date": "2015-08-03T19:41:04+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:35:41+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-09-10T14:08:03+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss BPMS 6.0",
"product": {
"name": "Red Hat JBoss BPMS 6.0",
"product_id": "Red Hat JBoss BPMS 6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_bpms:6.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat Process Automation Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-0263",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203344"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel\u0027s XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE in via SAXSource expansion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0263"
},
{
"category": "external",
"summary": "RHBZ#1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0263",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0263"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-08-03T19:41:04+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1539"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE in via SAXSource expansion"
},
{
"cve": "CVE-2015-0264",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203341"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE via XPath expression evaluation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0264"
},
{
"category": "external",
"summary": "RHBZ#1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-08-03T19:41:04+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1539"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE via XPath expression evaluation"
},
{
"acknowledgments": [
{
"names": [
"David Jorm"
],
"organization": "IIX Product Security"
}
],
"cve": "CVE-2015-1818",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1201714"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the dashbuilder import facility: the DocumentBuilders instantiated in org.jboss.dashboard.export.ImportManagerImpl did not disable external entities. This could allow an attacker to perform a variety of XML External Entity (XXE) and Server-Side Request Forgery (SSRF) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "dashbuilder: XXE/SSRF vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-1818"
},
{
"category": "external",
"summary": "RHBZ#1201714",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1201714"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-1818",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-1818"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-1818",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1818"
}
],
"release_date": "2015-03-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-08-03T19:41:04+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1539"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "dashbuilder: XXE/SSRF vulnerability"
}
]
}
RHSA-2015:2558
Vulnerability from csaf_redhat
Published
2015-12-07 20:46
Modified
2025-09-10 14:09
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse Service Works 6.2.1 update
Notes
Topic
Red Hat JBoss Fuse Service Works 6.2.1, which fixes three security issues
and various bugs, is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss Fuse Service Works is the next-generation ESB and business
process automation infrastructure.
This release of Red Hat JBoss Fuse Service Works 6.2.1 serves as a
replacement for Red Hat JBoss Fuse Service Works 6.0.0. It includes various
bug fixes, which are listed in the README file included with the patch
files.
The following security issues are fixed with this release:
A flaw was discovered that when an application uses Groovy (has it on the
classpath) and uses the standard Java serialization mechanism, an attacker
can bake a special serialized object that executes code directly when
deserialized. All applications which rely on serialization and do not
isolate the code which deserializes objects are subject to this
vulnerability. (CVE-2015-3253)
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
All users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the
Red Hat Customer Portal are advised to apply this security update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss Fuse Service Works 6.2.1, which fixes three security issues\nand various bugs, is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Fuse Service Works is the next-generation ESB and business\nprocess automation infrastructure.\n\nThis release of Red Hat JBoss Fuse Service Works 6.2.1 serves as a\nreplacement for Red Hat JBoss Fuse Service Works 6.0.0. It includes various\nbug fixes, which are listed in the README file included with the patch\nfiles.\n\nThe following security issues are fixed with this release:\n\nA flaw was discovered that when an application uses Groovy (has it on the\nclasspath) and uses the standard Java serialization mechanism, an attacker\ncan bake a special serialized object that executes code directly when\ndeserialized. All applications which rely on serialization and do not\nisolate the code which deserializes objects are subject to this\nvulnerability. (CVE-2015-3253)\n\nIt was found that Apache Camel\u0027s XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nAll users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the\nRed Hat Customer Portal are advised to apply this security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:2558",
"url": "https://access.redhat.com/errata/RHSA-2015:2558"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks\u0026downloadType=distributions\u0026version=6.2.1",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks\u0026downloadType=distributions\u0026version=6.2.1"
},
{
"category": "external",
"summary": "1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "external",
"summary": "1243934",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1243934"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2558.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Fuse Service Works 6.2.1 update",
"tracking": {
"current_release_date": "2025-09-10T14:09:43+00:00",
"generator": {
"date": "2025-09-10T14:09:43+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.7"
}
},
"id": "RHSA-2015:2558",
"initial_release_date": "2015-12-07T20:46:48+00:00",
"revision_history": [
{
"date": "2015-12-07T20:46:48+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:38:27+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-09-10T14:09:43+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Fuse Service Works 6.2",
"product": {
"name": "Red Hat JBoss Fuse Service Works 6.2",
"product_id": "Red Hat JBoss Fuse Service Works 6.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6.2"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Fuse Service Works"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-0263",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203344"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel\u0027s XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE in via SAXSource expansion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse Service Works 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0263"
},
{
"category": "external",
"summary": "RHBZ#1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0263",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0263"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-12-07T20:46:48+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Fuse Service Works 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2558"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse Service Works 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE in via SAXSource expansion"
},
{
"cve": "CVE-2015-0264",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203341"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE via XPath expression evaluation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse Service Works 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0264"
},
{
"category": "external",
"summary": "RHBZ#1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-12-07T20:46:48+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Fuse Service Works 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2558"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse Service Works 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE via XPath expression evaluation"
},
{
"cve": "CVE-2015-3253",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2015-07-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1243934"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism. A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "groovy: remote execution of untrusted code in class MethodClosure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse Service Works 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-3253"
},
{
"category": "external",
"summary": "RHBZ#1243934",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1243934"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-3253",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-3253"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-3253",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3253"
},
{
"category": "external",
"summary": "http://seclists.org/oss-sec/2015/q3/121",
"url": "http://seclists.org/oss-sec/2015/q3/121"
}
],
"release_date": "2015-07-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-12-07T20:46:48+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Fuse Service Works 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2558"
},
{
"category": "workaround",
"details": "Apply the following patch on the MethodClosure class (src/main/org/codehaus/groovy/runtime/MethodClosure.java):\n\n public class MethodClosure extends Closure {\n + private Object readResolve() {\n + throw new UnsupportedOperationException();\n + \n }\n\nAlternatively, you should make sure to use a custom security policy file (using the standard Java security manager) or make sure that you do not rely on serialization to communicate remotely.",
"product_ids": [
"Red Hat JBoss Fuse Service Works 6.2"
]
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse Service Works 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "groovy: remote execution of untrusted code in class MethodClosure"
}
]
}
rhsa-2015_1539
Vulnerability from csaf_redhat
Published
2015-08-03 19:41
Modified
2024-11-22 09:21
Summary
Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.1.2 update
Notes
Topic
Red Hat JBoss BPM Suite 6.1.2, which fixes three security issues, several
bugs, and adds various enhancements, is now available from the Red Hat
Customer Portal.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss BPM Suite is a business rules and processes management system
for the management, storage, creation, modification, and deployment of
JBoss rules and BPMN2-compliant business processes.
This release of Red Hat JBoss BPM Suite 6.1.2 serves as a replacement for
Red Hat JBoss BPM Suite 6.1.0, and includes bug fixes and enhancements,
which are documented in the README.txt file included with the patch files.
The following security issues are also fixed with this release:
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
A flaw was found in the dashbuilder import facility: the DocumentBuilders
instantiated in org.jboss.dashboard.export.ImportManagerImpl did not
disable external entities. This could allow an attacker to perform a
variety of XML External Entity (XXE) and Server-Side Request Forgery (SSRF)
attacks. (CVE-2015-1818)
Red Hat would like to thank David Jorm of IIX Product Security for
reporting the CVE-2015-1818 issue.
All users of Red Hat JBoss BPM Suite 6.1.0 as provided from the Red Hat
Customer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.1.2.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss BPM Suite 6.1.2, which fixes three security issues, several\nbugs, and adds various enhancements, is now available from the Red Hat\nCustomer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss BPM Suite is a business rules and processes management system\nfor the management, storage, creation, modification, and deployment of\nJBoss rules and BPMN2-compliant business processes.\n\nThis release of Red Hat JBoss BPM Suite 6.1.2 serves as a replacement for\nRed Hat JBoss BPM Suite 6.1.0, and includes bug fixes and enhancements,\nwhich are documented in the README.txt file included with the patch files.\n\nThe following security issues are also fixed with this release:\n\nIt was found that Apache Camel\u0027s XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nA flaw was found in the dashbuilder import facility: the DocumentBuilders\ninstantiated in org.jboss.dashboard.export.ImportManagerImpl did not\ndisable external entities. This could allow an attacker to perform a\nvariety of XML External Entity (XXE) and Server-Side Request Forgery (SSRF)\nattacks. (CVE-2015-1818)\n\nRed Hat would like to thank David Jorm of IIX Product Security for\nreporting the CVE-2015-1818 issue.\n\nAll users of Red Hat JBoss BPM Suite 6.1.0 as provided from the Red Hat\nCustomer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.1.2.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:1539",
"url": "https://access.redhat.com/errata/RHSA-2015:1539"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite\u0026downloadType=securityPatches\u0026version=6.1.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite\u0026downloadType=securityPatches\u0026version=6.1.0"
},
{
"category": "external",
"summary": "1201714",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1201714"
},
{
"category": "external",
"summary": "1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1539.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.1.2 update",
"tracking": {
"current_release_date": "2024-11-22T09:21:46+00:00",
"generator": {
"date": "2024-11-22T09:21:46+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2015:1539",
"initial_release_date": "2015-08-03T19:41:04+00:00",
"revision_history": [
{
"date": "2015-08-03T19:41:04+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:35:41+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T09:21:46+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss BPMS 6.0",
"product": {
"name": "Red Hat JBoss BPMS 6.0",
"product_id": "Red Hat JBoss BPMS 6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_bpms:6.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat Process Automation Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-0263",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203344"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel\u0027s XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE in via SAXSource expansion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0263"
},
{
"category": "external",
"summary": "RHBZ#1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0263",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0263"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-08-03T19:41:04+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1539"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE in via SAXSource expansion"
},
{
"cve": "CVE-2015-0264",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203341"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE via XPath expression evaluation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0264"
},
{
"category": "external",
"summary": "RHBZ#1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-08-03T19:41:04+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1539"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE via XPath expression evaluation"
},
{
"acknowledgments": [
{
"names": [
"David Jorm"
],
"organization": "IIX Product Security"
}
],
"cve": "CVE-2015-1818",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1201714"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the dashbuilder import facility: the DocumentBuilders instantiated in org.jboss.dashboard.export.ImportManagerImpl did not disable external entities. This could allow an attacker to perform a variety of XML External Entity (XXE) and Server-Side Request Forgery (SSRF) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "dashbuilder: XXE/SSRF vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-1818"
},
{
"category": "external",
"summary": "RHBZ#1201714",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1201714"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-1818",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-1818"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-1818",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1818"
}
],
"release_date": "2015-03-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-08-03T19:41:04+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss BPMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1539"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "dashbuilder: XXE/SSRF vulnerability"
}
]
}
rhsa-2015:1041
Vulnerability from csaf_redhat
Published
2015-06-01 17:08
Modified
2025-09-10 14:07
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.1.0 update
Notes
Topic
Red Hat JBoss Fuse and A-MQ 6.1.0 Patch 4 on Rollup Patch 2 (R2P4), which
fixes two security issues, several bugs, and adds various enhancements, is
now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant
messaging system that is tailored for use in mission critical applications.
This patch is an update to Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ
6.1.0. It includes several bug fixes, which are documented in the
readme.txt file included with the patch files. The following security
issues are addressed in this release:
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
Refer to the readme.txt file included with the patch files for
installation instructions.
All users of Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ 6.1.0 as
provided from the Red Hat Customer Portal are advised to apply this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss Fuse and A-MQ 6.1.0 Patch 4 on Rollup Patch 2 (R2P4), which\nfixes two security issues, several bugs, and adds various enhancements, is\nnow available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,\nflexible, open source enterprise service bus and integration platform.\nRed Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant\nmessaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ\n6.1.0. It includes several bug fixes, which are documented in the\nreadme.txt file included with the patch files. The following security\nissues are addressed in this release:\n\nIt was found that Apache Camel\u0027s XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nRefer to the readme.txt file included with the patch files for\ninstallation instructions.\n\nAll users of Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ 6.1.0 as\nprovided from the Red Hat Customer Portal are advised to apply this update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:1041",
"url": "https://access.redhat.com/errata/RHSA-2015:1041"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=securityPatches\u0026version=6.1.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=securityPatches\u0026version=6.1.0"
},
{
"category": "external",
"summary": "1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1041.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.1.0 update",
"tracking": {
"current_release_date": "2025-09-10T14:07:09+00:00",
"generator": {
"date": "2025-09-10T14:07:09+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.7"
}
},
"id": "RHSA-2015:1041",
"initial_release_date": "2015-06-01T17:08:08+00:00",
"revision_history": [
{
"date": "2015-06-01T17:08:08+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:35:43+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-09-10T14:07:09+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss A-MQ 6.1",
"product": {
"name": "Red Hat JBoss A-MQ 6.1",
"product_id": "Red Hat JBoss A-MQ 6.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_amq:6.1.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Fuse 6.1",
"product": {
"name": "Red Hat JBoss Fuse 6.1",
"product_id": "Red Hat JBoss Fuse 6.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_fuse:6.1.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Fuse"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-0263",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203344"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel\u0027s XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE in via SAXSource expansion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.1",
"Red Hat JBoss Fuse 6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0263"
},
{
"category": "external",
"summary": "RHBZ#1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0263",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0263"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-06-01T17:08:08+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.1",
"Red Hat JBoss Fuse 6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1041"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss A-MQ 6.1",
"Red Hat JBoss Fuse 6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE in via SAXSource expansion"
},
{
"cve": "CVE-2015-0264",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203341"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE via XPath expression evaluation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.1",
"Red Hat JBoss Fuse 6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0264"
},
{
"category": "external",
"summary": "RHBZ#1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-06-01T17:08:08+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.1",
"Red Hat JBoss Fuse 6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1041"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss A-MQ 6.1",
"Red Hat JBoss Fuse 6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE via XPath expression evaluation"
}
]
}
rhsa-2015_2558
Vulnerability from csaf_redhat
Published
2015-12-07 20:46
Modified
2024-11-22 09:21
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse Service Works 6.2.1 update
Notes
Topic
Red Hat JBoss Fuse Service Works 6.2.1, which fixes three security issues
and various bugs, is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss Fuse Service Works is the next-generation ESB and business
process automation infrastructure.
This release of Red Hat JBoss Fuse Service Works 6.2.1 serves as a
replacement for Red Hat JBoss Fuse Service Works 6.0.0. It includes various
bug fixes, which are listed in the README file included with the patch
files.
The following security issues are fixed with this release:
A flaw was discovered that when an application uses Groovy (has it on the
classpath) and uses the standard Java serialization mechanism, an attacker
can bake a special serialized object that executes code directly when
deserialized. All applications which rely on serialization and do not
isolate the code which deserializes objects are subject to this
vulnerability. (CVE-2015-3253)
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
All users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the
Red Hat Customer Portal are advised to apply this security update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss Fuse Service Works 6.2.1, which fixes three security issues\nand various bugs, is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Fuse Service Works is the next-generation ESB and business\nprocess automation infrastructure.\n\nThis release of Red Hat JBoss Fuse Service Works 6.2.1 serves as a\nreplacement for Red Hat JBoss Fuse Service Works 6.0.0. It includes various\nbug fixes, which are listed in the README file included with the patch\nfiles.\n\nThe following security issues are fixed with this release:\n\nA flaw was discovered that when an application uses Groovy (has it on the\nclasspath) and uses the standard Java serialization mechanism, an attacker\ncan bake a special serialized object that executes code directly when\ndeserialized. All applications which rely on serialization and do not\nisolate the code which deserializes objects are subject to this\nvulnerability. (CVE-2015-3253)\n\nIt was found that Apache Camel\u0027s XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nAll users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the\nRed Hat Customer Portal are advised to apply this security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:2558",
"url": "https://access.redhat.com/errata/RHSA-2015:2558"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks\u0026downloadType=distributions\u0026version=6.2.1",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks\u0026downloadType=distributions\u0026version=6.2.1"
},
{
"category": "external",
"summary": "1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "external",
"summary": "1243934",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1243934"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2558.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Fuse Service Works 6.2.1 update",
"tracking": {
"current_release_date": "2024-11-22T09:21:53+00:00",
"generator": {
"date": "2024-11-22T09:21:53+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2015:2558",
"initial_release_date": "2015-12-07T20:46:48+00:00",
"revision_history": [
{
"date": "2015-12-07T20:46:48+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:38:27+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T09:21:53+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Fuse Service Works 6.2",
"product": {
"name": "Red Hat JBoss Fuse Service Works 6.2",
"product_id": "Red Hat JBoss Fuse Service Works 6.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6.2"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Fuse Service Works"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-0263",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203344"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel\u0027s XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE in via SAXSource expansion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse Service Works 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0263"
},
{
"category": "external",
"summary": "RHBZ#1203344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0263",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0263"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-12-07T20:46:48+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Fuse Service Works 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2558"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse Service Works 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE in via SAXSource expansion"
},
{
"cve": "CVE-2015-0264",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2015-03-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1203341"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: XXE via XPath expression evaluation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse Service Works 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-0264"
},
{
"category": "external",
"summary": "RHBZ#1203341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203341"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0264"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc"
}
],
"release_date": "2015-03-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-12-07T20:46:48+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Fuse Service Works 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2558"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse Service Works 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Camel: XXE via XPath expression evaluation"
},
{
"cve": "CVE-2015-3253",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2015-07-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1243934"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism. A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "groovy: remote execution of untrusted code in class MethodClosure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse Service Works 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-3253"
},
{
"category": "external",
"summary": "RHBZ#1243934",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1243934"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-3253",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-3253"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-3253",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3253"
},
{
"category": "external",
"summary": "http://seclists.org/oss-sec/2015/q3/121",
"url": "http://seclists.org/oss-sec/2015/q3/121"
}
],
"release_date": "2015-07-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-12-07T20:46:48+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Fuse Service Works 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2558"
},
{
"category": "workaround",
"details": "Apply the following patch on the MethodClosure class (src/main/org/codehaus/groovy/runtime/MethodClosure.java):\n\n public class MethodClosure extends Closure {\n + private Object readResolve() {\n + throw new UnsupportedOperationException();\n + \n }\n\nAlternatively, you should make sure to use a custom security policy file (using the standard Java security manager) or make sure that you do not rely on serialization to communicate remotely.",
"product_ids": [
"Red Hat JBoss Fuse Service Works 6.2"
]
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse Service Works 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "groovy: remote execution of untrusted code in class MethodClosure"
}
]
}
fkie_cve-2015-0264
Vulnerability from fkie_nvd
Published
2015-06-03 20:59
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3E65DC32-33D4-46FB-97AD-0ACF0DDF6E00",
"versionEndIncluding": "2.13.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:camel:2.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BF8F319C-1212-4787-A1E8-15D576527EF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:camel:2.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "17E12D85-196F-4723-A4EC-7DC900087AC5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de entidad externa XML (XXE) en builder/xml/XPathBuilder.java en Apache Camel anterior a 2.13.4 y 2.14.x anterior a 2.14.2 permiten a atacantes remotos leer ficheros arbitrarios a trav\u00e9s de una entidad externa en un objeto XML (1) String o (2) GenericFile inv\u00e1lido en una consulta XPath."
}
],
"evaluatorComment": "\u003ca href=\"http://cwe.mitre.org/data/definitions/611.html\"\u003eCWE-611: Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)\u003c/a\u003e",
"id": "CVE-2015-0264",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-06-03T20:59:04.403",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1041.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1538.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1539.html"
},
{
"source": "secalert@redhat.com",
"url": "http://securitytracker.com/id/1032442"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc"
},
{
"source": "secalert@redhat.com",
"url": "https://git-wip-us.apache.org/repos/asf?p=camel.git%3Ba=commitdiff%3Bh=1df559649a96a1ca0368373387e542f46e4820da"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1041.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1538.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1539.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id/1032442"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://git-wip-us.apache.org/repos/asf?p=camel.git%3Ba=commitdiff%3Bh=1df559649a96a1ca0368373387e542f46e4820da"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
gsd-2015-0264
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2015-0264",
"description": "Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query.",
"id": "GSD-2015-0264",
"references": [
"https://access.redhat.com/errata/RHSA-2015:2558",
"https://access.redhat.com/errata/RHSA-2015:1539",
"https://access.redhat.com/errata/RHSA-2015:1538",
"https://access.redhat.com/errata/RHSA-2015:1041"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2015-0264"
],
"details": "Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query.",
"id": "GSD-2015-0264",
"modified": "2023-12-13T01:19:57.963505Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-0264",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2015:1539",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1539.html"
},
{
"name": "1032442",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id/1032442"
},
{
"name": "https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=1df559649a96a1ca0368373387e542f46e4820da",
"refsource": "CONFIRM",
"url": "https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=1df559649a96a1ca0368373387e542f46e4820da"
},
{
"name": "RHSA-2015:1041",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1041.html"
},
{
"name": "RHSA-2015:1538",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1538.html"
},
{
"name": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc",
"refsource": "CONFIRM",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,2.13.3],[2.14-alpha0,2.14.1]",
"affected_versions": "All versions up to 2.13.3, all versions starting from 2.14-alpha0 up to 2.14.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2019-05-24",
"description": "Multiple XML external entity (XXE) vulnerabilities in `builder/xml/XPathBuilder.java` in this package allow remote attackers to read arbitrary files via an external entity in an invalid XML String or GenericFile object in an XPath query.",
"fixed_versions": [
"2.13.4",
"2.14.2"
],
"identifier": "CVE-2015-0264",
"identifiers": [
"CVE-2015-0264"
],
"not_impacted": "All versions after 2.13.3 before 2.14-alpha0, all versions after 2.14.1",
"package_slug": "maven/org.apache.camel/camel-core",
"pubdate": "2015-06-03",
"solution": "Upgrade to versions 2.13.4, 2.14.2 or above.",
"title": "XXE in Apache Camel",
"urls": [
"http://camel.apache.org/security-advisories.html",
"https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc?version=1\u0026modificationDate=1426539191000\u0026api=v2",
"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0264"
],
"uuid": "ee33baa9-43a1-433d-ad4b-a006f9517bee"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.13.3",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:camel:2.14.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:camel:2.14.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-0264"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc"
},
{
"name": "1032442",
"refsource": "SECTRACK",
"tags": [],
"url": "http://securitytracker.com/id/1032442"
},
{
"name": "https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=1df559649a96a1ca0368373387e542f46e4820da",
"refsource": "CONFIRM",
"tags": [],
"url": "https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=1df559649a96a1ca0368373387e542f46e4820da"
},
{
"name": "RHSA-2015:1041",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1041.html"
},
{
"name": "RHSA-2015:1538",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1538.html"
},
{
"name": "RHSA-2015:1539",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1539.html"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2019-05-24T11:29Z",
"publishedDate": "2015-06-03T20:59Z"
}
}
}
cnvd-2015-01866
Vulnerability from cnvd
Title: Apache Camel XPath任意文件读取漏洞
Description:
Apache Camel是Apache基金会下的一个开源项目,它是一个基于规则路由和中介引擎,提供企业集成模式的Java对象的实现,通过应用程序接口(或称为陈述式的Java领域特定语言(DSL))来配置路由和中介的规则。
Apache Camel XPath处理非法XML字符串或XML GenericFile对象存在安全漏洞,允许远程攻击者通过XML外部实体声明来读取任意文件。
Severity: 高
Patch Name: Apache Camel XPath任意文件读取漏洞的补丁
Patch Description:
Apache Camel是Apache基金会下的一个开源项目,它是一个基于规则路由和中介引擎,提供企业集成模式的Java对象的实现,通过应用程序接口(或称为陈述式的Java领域特定语言(DSL))来配置路由和中介的规则。Apache Camel XPath处理非法XML字符串或XML GenericFile对象存在安全漏洞,允许远程攻击者通过XML外部实体声明来读取任意文件。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description:
Apache Camel 2.13.4和2.14.2已经修复该漏洞,建议用户下载更新: http://camel.apache.org/
Reference: http://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc?version=1&modificationDate=1426539191142&api=v2
Impacted products
| Name | Apache Camel |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2015-0264"
}
},
"description": "Apache Camel\u662fApache\u57fa\u91d1\u4f1a\u4e0b\u7684\u4e00\u4e2a\u5f00\u6e90\u9879\u76ee,\u5b83\u662f\u4e00\u4e2a\u57fa\u4e8e\u89c4\u5219\u8def\u7531\u548c\u4e2d\u4ecb\u5f15\u64ce\uff0c\u63d0\u4f9b\u4f01\u4e1a\u96c6\u6210\u6a21\u5f0f\u7684Java\u5bf9\u8c61\u7684\u5b9e\u73b0\uff0c\u901a\u8fc7\u5e94\u7528\u7a0b\u5e8f\u63a5\u53e3\uff08\u6216\u79f0\u4e3a\u9648\u8ff0\u5f0f\u7684Java\u9886\u57df\u7279\u5b9a\u8bed\u8a00\uff08DSL\uff09\uff09\u6765\u914d\u7f6e\u8def\u7531\u548c\u4e2d\u4ecb\u7684\u89c4\u5219\u3002\r\n\r\nApache Camel XPath\u5904\u7406\u975e\u6cd5XML\u5b57\u7b26\u4e32\u6216XML GenericFile\u5bf9\u8c61\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7XML\u5916\u90e8\u5b9e\u4f53\u58f0\u660e\u6765\u8bfb\u53d6\u4efb\u610f\u6587\u4ef6\u3002",
"discovererName": "Apache",
"formalWay": "Apache Camel 2.13.4\u548c2.14.2\u5df2\u7ecf\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u66f4\u65b0\uff1a\r\nhttp://camel.apache.org/",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2015-01866",
"openTime": "2015-03-20",
"patchDescription": "Apache Camel\u662fApache\u57fa\u91d1\u4f1a\u4e0b\u7684\u4e00\u4e2a\u5f00\u6e90\u9879\u76ee,\u5b83\u662f\u4e00\u4e2a\u57fa\u4e8e\u89c4\u5219\u8def\u7531\u548c\u4e2d\u4ecb\u5f15\u64ce\uff0c\u63d0\u4f9b\u4f01\u4e1a\u96c6\u6210\u6a21\u5f0f\u7684Java\u5bf9\u8c61\u7684\u5b9e\u73b0\uff0c\u901a\u8fc7\u5e94\u7528\u7a0b\u5e8f\u63a5\u53e3\uff08\u6216\u79f0\u4e3a\u9648\u8ff0\u5f0f\u7684Java\u9886\u57df\u7279\u5b9a\u8bed\u8a00\uff08DSL\uff09\uff09\u6765\u914d\u7f6e\u8def\u7531\u548c\u4e2d\u4ecb\u7684\u89c4\u5219\u3002Apache Camel XPath\u5904\u7406\u975e\u6cd5XML\u5b57\u7b26\u4e32\u6216XML GenericFile\u5bf9\u8c61\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7XML\u5916\u90e8\u5b9e\u4f53\u58f0\u660e\u6765\u8bfb\u53d6\u4efb\u610f\u6587\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Apache Camel XPath\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "Apache Camel"
},
"referenceLink": "http://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc?version=1\u0026modificationDate=1426539191142\u0026api=v2",
"serverity": "\u9ad8",
"submitTime": "2015-03-19",
"title": "Apache Camel XPath\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…