Path traversal in Apache Camel



Published: 2019-05-03 | Updated: 2019-06-12
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-0194
CWE-ID CWE-22
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Apache Camel
Server applications / Frameworks for developing and running applications

Vendor Apache Foundation

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Path traversal

EUVDB-ID: #VU18786

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-0194

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Apache Camel: 2.21.0 - 2.23.0


CPE2.3 External links

http://www.openwall.com/lists/oss-security/2019/04/30/2
http://www.securityfocus.com/bid/108181
http://lists.apache.org/thread.html/0a163d02169d3d361150e8183df4af33f1a3d8a419b2937ac8e6c66f@%3Cusers.camel.apache.org%3E
http://lists.apache.org/thread.html/0cb842f367336b352a7548e290116b64b78b8e7b99402deaba81a687@%3Ccommits.camel.apache.org%3E
http://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E
http://lists.apache.org/thread.html/45e23ade8d3cb754615f95975e89e8dc73c59eeac914f07d53acbac6@%3Ccommits.camel.apache.org%3E
http://lists.apache.org/thread.html/9a6bc022f7ab28e4894b1831ce336eb41ae6d5c24d86646fe16e956f@%3Ccommits.camel.apache.org%3E
http://lists.apache.org/thread.html/a39441db574ee996f829344491b3211b53c9ed926f00ae5d88943b76@%3Cdev.camel.apache.org%3E
http://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###