High severityNVD Advisory· Published Mar 21, 2014· Updated May 6, 2026
CVE-2014-0002
CVE-2014-0002
Description
The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.camel:camel-coreMaven | < 2.11.4 | 2.11.4 |
org.apache.camel:camel-coreMaven | >= 2.12.0, < 2.12.3 | 2.12.3 |
Affected products
1Patches
554b65c1d3084CAMEL-7129: Remove the CamelXsltResourceUri header from xslt component
3 files changed · +9 −14
camel-core/src/main/java/org/apache/camel/component/xslt/XsltConstants.java+3 −0 modified@@ -21,6 +21,9 @@ */ public final class XsltConstants { + @Deprecated + // XsltComponent don't support this message any more + // Please create the XsltEndpoint directly from the URI public static final String XSLT_RESOURCE_URI = "CamelXsltResourceUri"; private XsltConstants() {
camel-core/src/main/java/org/apache/camel/component/xslt/XsltEndpoint.java+4 −11 modified@@ -76,19 +76,12 @@ public XsltEndpoint findOrCreateEndpoint(String uri, String newResourceUri) { @Override protected void onExchange(Exchange exchange) throws Exception { - String newResourceUri = exchange.getIn().getHeader(XsltConstants.XSLT_RESOURCE_URI, String.class); - if (newResourceUri != null) { - exchange.getIn().removeHeader(XsltConstants.XSLT_RESOURCE_URI); - LOG.trace("{} set to {} creating new endpoint to handle exchange", XsltConstants.XSLT_RESOURCE_URI, newResourceUri); - XsltEndpoint newEndpoint = findOrCreateEndpoint(getEndpointUri(), newResourceUri); - newEndpoint.onExchange(exchange); - } else { - if (!cacheStylesheet || cacheCleared) { - loadResource(resourceUri); - } - super.onExchange(exchange); + if (!cacheStylesheet || cacheCleared) { + loadResource(resourceUri); } + super.onExchange(exchange); + } /**
camel-core/src/test/java/org/apache/camel/component/xslt/XsltFromHeaderOverrideEndpointUriTest.java+2 −3 modified@@ -23,10 +23,9 @@ import org.apache.camel.builder.RouteBuilder; import org.apache.camel.component.mock.MockEndpoint; import org.apache.camel.impl.JndiRegistry; +import org.junit.Ignore; -/** - * - */ +@Ignore("CamelXsltComponent don't support XSLT_RESOURCE_URI header anymore") public class XsltFromHeaderOverrideEndpointUriTest extends ContextTestSupport { public void testSendMessageAndHaveItTransformed() throws Exception {
2ec54fa0c13aCAMEL-7129: Remove the CamelXsltResourceUri header from xslt component
3 files changed · +9 −14
camel-core/src/main/java/org/apache/camel/component/xslt/XsltConstants.java+3 −0 modified@@ -21,6 +21,9 @@ */ public final class XsltConstants { + @Deprecated + // XsltComponent don't support this message any more + // Please create the XsltEndpoint directly from the URI public static final String XSLT_RESOURCE_URI = "CamelXsltResourceUri"; private XsltConstants() {
camel-core/src/main/java/org/apache/camel/component/xslt/XsltEndpoint.java+4 −11 modified@@ -76,19 +76,12 @@ public XsltEndpoint findOrCreateEndpoint(String uri, String newResourceUri) { @Override protected void onExchange(Exchange exchange) throws Exception { - String newResourceUri = exchange.getIn().getHeader(XsltConstants.XSLT_RESOURCE_URI, String.class); - if (newResourceUri != null) { - exchange.getIn().removeHeader(XsltConstants.XSLT_RESOURCE_URI); - LOG.trace("{} set to {} creating new endpoint to handle exchange", XsltConstants.XSLT_RESOURCE_URI, newResourceUri); - XsltEndpoint newEndpoint = findOrCreateEndpoint(getEndpointUri(), newResourceUri); - newEndpoint.onExchange(exchange); - } else { - if (!cacheStylesheet || cacheCleared) { - loadResource(resourceUri); - } - super.onExchange(exchange); + if (!cacheStylesheet || cacheCleared) { + loadResource(resourceUri); } + super.onExchange(exchange); + } /**
camel-core/src/test/java/org/apache/camel/component/xslt/XsltFromHeaderOverrideEndpointUriTest.java+2 −3 modified@@ -23,10 +23,9 @@ import org.apache.camel.builder.RouteBuilder; import org.apache.camel.component.mock.MockEndpoint; import org.apache.camel.impl.JndiRegistry; +import org.junit.Ignore; -/** - * - */ +@Ignore("CamelXsltComponent don't support XSLT_RESOURCE_URI header anymore") public class XsltFromHeaderOverrideEndpointUriTest extends ContextTestSupport { public void testSendMessageAndHaveItTransformed() throws Exception {
341d4e6cca71CAMEL-7129: Remove the CamelXsltResourceUri header from xslt component
3 files changed · +9 −14
camel-core/src/main/java/org/apache/camel/component/xslt/XsltConstants.java+3 −0 modified@@ -21,6 +21,9 @@ */ public final class XsltConstants { + @Deprecated + // XsltComponent don't support this message any more + // Please create the XsltEndpoint directly from the URI public static final String XSLT_RESOURCE_URI = "CamelXsltResourceUri"; private XsltConstants() {
camel-core/src/main/java/org/apache/camel/component/xslt/XsltEndpoint.java+4 −11 modified@@ -81,19 +81,12 @@ public XsltEndpoint findOrCreateEndpoint(String uri, String newResourceUri) { @Override protected void onExchange(Exchange exchange) throws Exception { - String newResourceUri = exchange.getIn().getHeader(XsltConstants.XSLT_RESOURCE_URI, String.class); - if (newResourceUri != null) { - exchange.getIn().removeHeader(XsltConstants.XSLT_RESOURCE_URI); - LOG.trace("{} set to {} creating new endpoint to handle exchange", XsltConstants.XSLT_RESOURCE_URI, newResourceUri); - XsltEndpoint newEndpoint = findOrCreateEndpoint(getEndpointUri(), newResourceUri); - newEndpoint.onExchange(exchange); - } else { - if (!cacheStylesheet || cacheCleared) { - loadResource(resourceUri); - } - super.onExchange(exchange); + if (!cacheStylesheet || cacheCleared) { + loadResource(resourceUri); } + super.onExchange(exchange); + } /**
camel-core/src/test/java/org/apache/camel/component/xslt/XsltFromHeaderOverrideEndpointUriTest.java+2 −3 modified@@ -23,10 +23,9 @@ import org.apache.camel.builder.RouteBuilder; import org.apache.camel.component.mock.MockEndpoint; import org.apache.camel.impl.JndiRegistry; +import org.junit.Ignore; -/** - * - */ +@Ignore("CamelXsltComponent don't support XSLT_RESOURCE_URI header anymore") public class XsltFromHeaderOverrideEndpointUriTest extends ContextTestSupport { public void testSendMessageAndHaveItTransformed() throws Exception {
54b65c1d3084CAMEL-7129: Remove the CamelXsltResourceUri header from xslt component
3 files changed · +9 −14
camel-core/src/main/java/org/apache/camel/component/xslt/XsltConstants.java+3 −0 modified@@ -21,6 +21,9 @@ */ public final class XsltConstants { + @Deprecated + // XsltComponent don't support this message any more + // Please create the XsltEndpoint directly from the URI public static final String XSLT_RESOURCE_URI = "CamelXsltResourceUri"; private XsltConstants() {
camel-core/src/main/java/org/apache/camel/component/xslt/XsltEndpoint.java+4 −11 modified@@ -76,19 +76,12 @@ public XsltEndpoint findOrCreateEndpoint(String uri, String newResourceUri) { @Override protected void onExchange(Exchange exchange) throws Exception { - String newResourceUri = exchange.getIn().getHeader(XsltConstants.XSLT_RESOURCE_URI, String.class); - if (newResourceUri != null) { - exchange.getIn().removeHeader(XsltConstants.XSLT_RESOURCE_URI); - LOG.trace("{} set to {} creating new endpoint to handle exchange", XsltConstants.XSLT_RESOURCE_URI, newResourceUri); - XsltEndpoint newEndpoint = findOrCreateEndpoint(getEndpointUri(), newResourceUri); - newEndpoint.onExchange(exchange); - } else { - if (!cacheStylesheet || cacheCleared) { - loadResource(resourceUri); - } - super.onExchange(exchange); + if (!cacheStylesheet || cacheCleared) { + loadResource(resourceUri); } + super.onExchange(exchange); + } /**
camel-core/src/test/java/org/apache/camel/component/xslt/XsltFromHeaderOverrideEndpointUriTest.java+2 −3 modified@@ -23,10 +23,9 @@ import org.apache.camel.builder.RouteBuilder; import org.apache.camel.component.mock.MockEndpoint; import org.apache.camel.impl.JndiRegistry; +import org.junit.Ignore; -/** - * - */ +@Ignore("CamelXsltComponent don't support XSLT_RESOURCE_URI header anymore") public class XsltFromHeaderOverrideEndpointUriTest extends ContextTestSupport { public void testSendMessageAndHaveItTransformed() throws Exception {
2ec54fa0c13aCAMEL-7129: Remove the CamelXsltResourceUri header from xslt component
3 files changed · +9 −14
camel-core/src/main/java/org/apache/camel/component/xslt/XsltConstants.java+3 −0 modified@@ -21,6 +21,9 @@ */ public final class XsltConstants { + @Deprecated + // XsltComponent don't support this message any more + // Please create the XsltEndpoint directly from the URI public static final String XSLT_RESOURCE_URI = "CamelXsltResourceUri"; private XsltConstants() {
camel-core/src/main/java/org/apache/camel/component/xslt/XsltEndpoint.java+4 −11 modified@@ -76,19 +76,12 @@ public XsltEndpoint findOrCreateEndpoint(String uri, String newResourceUri) { @Override protected void onExchange(Exchange exchange) throws Exception { - String newResourceUri = exchange.getIn().getHeader(XsltConstants.XSLT_RESOURCE_URI, String.class); - if (newResourceUri != null) { - exchange.getIn().removeHeader(XsltConstants.XSLT_RESOURCE_URI); - LOG.trace("{} set to {} creating new endpoint to handle exchange", XsltConstants.XSLT_RESOURCE_URI, newResourceUri); - XsltEndpoint newEndpoint = findOrCreateEndpoint(getEndpointUri(), newResourceUri); - newEndpoint.onExchange(exchange); - } else { - if (!cacheStylesheet || cacheCleared) { - loadResource(resourceUri); - } - super.onExchange(exchange); + if (!cacheStylesheet || cacheCleared) { + loadResource(resourceUri); } + super.onExchange(exchange); + } /**
camel-core/src/test/java/org/apache/camel/component/xslt/XsltFromHeaderOverrideEndpointUriTest.java+2 −3 modified@@ -23,10 +23,9 @@ import org.apache.camel.builder.RouteBuilder; import org.apache.camel.component.mock.MockEndpoint; import org.apache.camel.impl.JndiRegistry; +import org.junit.Ignore; -/** - * - */ +@Ignore("CamelXsltComponent don't support XSLT_RESOURCE_URI header anymore") public class XsltFromHeaderOverrideEndpointUriTest extends ContextTestSupport { public void testSendMessageAndHaveItTransformed() throws Exception {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
18- camel.apache.org/security-advisories.data/CVE-2014-0002.txt.ascnvdExploitVendor AdvisoryWEB
- secunia.com/advisories/57125nvdVendor Advisory
- github.com/advisories/GHSA-2fw5-rvf2-jq56ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-0002ghsaADVISORY
- rhn.redhat.com/errata/RHSA-2014-0371.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-0372.htmlnvdWEB
- github.com/apache/camel/commit/2ec54fa0c13ae65bdcccff764af081a79fcc05fghsaWEB
- github.com/apache/camel/commit/341d4e6cca71c53c90962d1c3d45fc9e05cc50c6ghsaWEB
- github.com/apache/camel/commit/54b65c1d30848835f26bd138c0ba407bc1e560dghsaWEB
- issues.apache.org/jira/browse/CAMEL-7129ghsaWEB
- lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3EnvdWEB
- lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3EnvdWEB
- lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3EghsaWEB
- web.archive.org/web/20200229061309/http://www.securityfocus.com/bid/65901ghsaWEB
- secunia.com/advisories/57716nvd
- secunia.com/advisories/57719nvd
- www.securityfocus.com/bid/65901nvd
News mentions
0No linked articles in our index yet.