CVE-2019-0194
Description
Apache Camel's File is vulnerable to directory traversal. Camel 2.21.0 to 2.21.3, 2.22.0 to 2.22.2, 2.23.0 and the unsupported Camel 2.x (2.19 and earlier) versions may be also affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Camel's File component allows directory traversal via user-controlled filenames, enabling attackers to write files outside the intended directory.
Vulnerability
Description
CVE-2019-0194 is a directory traversal vulnerability in Apache Camel's File component. The root cause is that the component does not properly sanitize user-controlled filenames when writing files, allowing path traversal sequences (e.g., ../) to escape the intended starting directory [1][3]. This affects Camel versions 2.21.0 to 2.21.3, 2.22.0 to 2.22.2, 2.23.0, and earlier unsupported 2.x releases (2.19 and prior) [1][3].
Exploitation
An attacker can exploit this by providing a crafted filename containing directory traversal payloads via a route that uses the File producer. No special authentication is required if the route is exposed to untrusted input. The attack surface is any Camel integration that accepts filenames from external sources (e.g., HTTP requests, message queues) and writes files to disk using the File component [2][4].
Impact
Successful exploitation allows an attacker to write files to arbitrary locations on the file system, outside the intended base directory. This could lead to overwriting sensitive files, deploying malicious scripts, or achieving code execution depending on the write permissions and the runtime environment [1][3].
Mitigation
Apache released patched versions: 2.21.5, 2.22.3, and 2.23.1 [3]. The fix introduces a new option to restrict file writes to the starting directory or its subdirectories by default, preventing path traversal [4]. Users are advised to upgrade immediately. No workarounds are documented for unpatched versions.
- NVD - CVE-2019-0194
- GitHub - apache/camel: Apache Camel is an open source integration framework that empowers you to quickly and easily integrate various systems consuming or producing data.
- security - [SECURITY] New security advisory CVE-2019-0194 released for Apache Camel
- CAMEL-13042: File producer should by default only allow to write file… by davsclaus · Pull Request #2700 · apache/camel
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.camel:camel-coreMaven | >= 2.21.0, < 2.21.5 | 2.21.5 |
org.apache.camel:camel-coreMaven | >= 2.22.0, < 2.22.3 | 2.22.3 |
org.apache.camel:camel-coreMaven | >= 2.23.0, < 2.23.1 | 2.23.1 |
Affected products
2- Apache/Apache Camelv5Range: Camel 2.21.0 to 2.21.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
17- github.com/advisories/GHSA-4wjq-69rc-8wcpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-0194ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/30/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/108181mitrevdb-entryx_refsource_BID
- github.com/apache/camel/pull/2700ghsaWEB
- issues.apache.org/jira/browse/CAMEL-13042ghsaWEB
- lists.apache.org/thread.html/0a163d02169d3d361150e8183df4af33f1a3d8a419b2937ac8e6c66f%40%3Cusers.camel.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/0a163d02169d3d361150e8183df4af33f1a3d8a419b2937ac8e6c66f@%3Cusers.camel.apache.org%3EghsaWEB
- lists.apache.org/thread.html/0cb842f367336b352a7548e290116b64b78b8e7b99402deaba81a687%40%3Ccommits.camel.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/45e23ade8d3cb754615f95975e89e8dc73c59eeac914f07d53acbac6%40%3Ccommits.camel.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/45e23ade8d3cb754615f95975e89e8dc73c59eeac914f07d53acbac6@%3Ccommits.camel.apache.org%3EghsaWEB
- lists.apache.org/thread.html/9a6bc022f7ab28e4894b1831ce336eb41ae6d5c24d86646fe16e956f%40%3Ccommits.camel.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/a39441db574ee996f829344491b3211b53c9ed926f00ae5d88943b76%40%3Cdev.camel.apache.org%3Emitrex_refsource_MISC
- lists.apache.org/thread.html/a39441db574ee996f829344491b3211b53c9ed926f00ae5d88943b76@%3Cdev.camel.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.