Server-Side Request Forgery (SSRF) in Apache Camel - CVE-2017-5643
Published: June 25, 2025
Vulnerability identifier: #VU111924
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-5643
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Camel
Apache Camel
Detailed vulnerability description
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to validation Component of Apache Camel evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
How to mitigate CVE-2017-5643
Install updates from vendor's website.
Sources
- http://camel.apache.org/security-advisories.data/CVE-2017-5643.txt.asc?version=1&modificationDate=1489652454000&api=v2
- http://www.securityfocus.com/bid/97226
- https://access.redhat.com/errata/RHSA-2017:1832
- https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E