{
  "threat_severity" : "Moderate",
  "public_date" : "2015-03-17T00:00:00Z",
  "bugzilla" : {
    "description" : "Camel: XXE in via SAXSource expansion",
    "id" : "1203344",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1203344"
  },
  "cvss" : {
    "cvss_base_score" : "5.0",
    "cvss_scoring_vector" : "AV:N/AC:L/Au:N/C:P/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-611",
  "details" : [ "XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.", "It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks." ],
  "affected_release" : [ {
    "product_name" : "Red Hat JBoss A-MQ 6.1",
    "release_date" : "2015-06-01T00:00:00Z",
    "advisory" : "RHSA-2015:1041",
    "cpe" : "cpe:/a:redhat:jboss_amq:6.1.0"
  }, {
    "product_name" : "Red Hat JBoss BPMS 6.0",
    "release_date" : "2015-08-03T00:00:00Z",
    "advisory" : "RHSA-2015:1539",
    "cpe" : "cpe:/a:redhat:jboss_bpms:6.0",
    "package" : "Camel"
  }, {
    "product_name" : "Red Hat JBoss BRMS 6.0",
    "release_date" : "2015-08-03T00:00:00Z",
    "advisory" : "RHSA-2015:1538",
    "cpe" : "cpe:/a:redhat:jboss_brms:6.0",
    "package" : "Camel"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6.1",
    "release_date" : "2015-06-01T00:00:00Z",
    "advisory" : "RHSA-2015:1041",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6.1.0"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6.2",
    "release_date" : "2015-12-07T00:00:00Z",
    "advisory" : "RHSA-2015:2558",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6.2",
    "package" : "Camel"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Enterprise 1",
    "fix_state" : "Will not fix",
    "package_name" : "camel",
    "cpe" : "cpe:/a:redhat:openshift:1"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2",
    "fix_state" : "Affected",
    "package_name" : "camel",
    "cpe" : "cpe:/a:redhat:openshift:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2015-0263\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-0263\nhttps://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc" ],
  "name" : "CVE-2015-0263",
  "csaw" : false
}