Apache Camel

Source repositories

https://github.com/apache/camel

CVEs (18)

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2017-12633	Apache Camel	Cri	0.64	9.8	0.03	Nov 15, 2017	The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.
CVE-2016-8749	Apache Camel	Cri	0.58	9.8	0.12	Mar 28, 2017	Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
CVE-2017-12634	Apache Camel	Cri	0.57	9.8	0.06	Nov 15, 2017	The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.
CVE-2017-3159	Apache Camel	Cri	0.57	9.8	0.03	Mar 7, 2017	Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws.
CVE-2017-5643	Apache Camel	Hig	0.41	7.4	0.01	Mar 16, 2017	Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.
CVE-2026-25747	Apache Camel		0.00	—	0.00	Feb 23, 2026	Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or…
CVE-2026-23552	Apache Camel		0.00	—	0.00	Feb 23, 2026	Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently…
CVE-2025-30177	Apache Camel		0.00	—	0.00	Apr 1, 2025	Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions. This issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6. Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x…
CVE-2025-29891	Apache Camel		0.00	—	0.01	Mar 12, 2025	Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. …
CVE-2025-27636	Apache Camel		0.00	—	0.52	Mar 9, 2025	Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS,…
CVE-2024-22371	Apache Camel		0.00	—	0.01	Feb 26, 2024	Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through…
CVE-2024-23114	Apache Camel		0.00	—	0.01	Feb 20, 2024	Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before…
CVE-2024-22369	Apache Camel		0.00	—	0.12	Feb 20, 2024	Deserialization of Untrusted Data vulnerability in Apache Camel SQL ComponentThis issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes…
CVE-2023-34442	Apache Apache Camel		0.00	—	0.00	Jul 10, 2023	Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Camel.This issue affects Apache Camel: from 3.X through <=3.14.8, from 3.18.X through <=3.18.7, from 3.20.X through <= 3.20.5, from 4.X through <= 4.0.0-M3. Users…
CVE-2019-0188	Apache Camel		0.00	—	0.01	May 28, 2019	Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed.
CVE-2019-0194	Apache Camel		0.00	—	0.02	Apr 30, 2019	Apache Camel's File is vulnerable to directory traversal. Camel 2.21.0 to 2.21.3, 2.22.0 to 2.22.2, 2.23.0 and the unsupported Camel 2.x (2.19 and earlier) versions may be also affected.
CVE-2018-8041	Apache Apache Camel		0.00	—	0.02	Sep 17, 2018	Apache Camel's Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path traversal.
CVE-2018-8027	Apache Camel		0.00	—	0.03	Jul 31, 2018	Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.

CVE-2017-12633CriNov 15, 2017
Apache
Camel
risk 0.64cvss 9.8epss 0.03
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.
CVE-2016-8749CriMar 28, 2017
Apache
Camel
risk 0.58cvss 9.8epss 0.12
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
CVE-2017-12634CriNov 15, 2017
Apache
Camel
risk 0.57cvss 9.8epss 0.06
The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.
CVE-2017-3159CriMar 7, 2017
Apache
Camel
risk 0.57cvss 9.8epss 0.03
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws.
CVE-2017-5643HigMar 16, 2017
Apache
Camel
risk 0.41cvss 7.4epss 0.01
Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.
CVE-2026-25747Feb 23, 2026
Apache
Camel
risk 0.00cvss —epss 0.00
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or…
CVE-2026-23552Feb 23, 2026
Apache
Camel
risk 0.00cvss —epss 0.00
Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently…
CVE-2025-30177Apr 1, 2025
Apache
Camel
risk 0.00cvss —epss 0.00
Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions. This issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6. Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x…
CVE-2025-29891Mar 12, 2025
Apache
Camel
risk 0.00cvss —epss 0.01
Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. …
CVE-2025-27636Mar 9, 2025
Apache
Camel
risk 0.00cvss —epss 0.52
Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS,…
CVE-2024-22371Feb 26, 2024
Apache
Camel
risk 0.00cvss —epss 0.01
Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through…
CVE-2024-23114Feb 20, 2024
Apache
Camel
risk 0.00cvss —epss 0.01
Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before…
CVE-2024-22369Feb 20, 2024
Apache
Camel
risk 0.00cvss —epss 0.12
Deserialization of Untrusted Data vulnerability in Apache Camel SQL ComponentThis issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes…
CVE-2023-34442Jul 10, 2023
Apache
Apache Camel
risk 0.00cvss —epss 0.00
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Camel.This issue affects Apache Camel: from 3.X through <=3.14.8, from 3.18.X through <=3.18.7, from 3.20.X through <= 3.20.5, from 4.X through <= 4.0.0-M3. Users…
CVE-2019-0188May 28, 2019
Apache
Camel
risk 0.00cvss —epss 0.01
Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed.
CVE-2019-0194Apr 30, 2019
Apache
Camel
risk 0.00cvss —epss 0.02
Apache Camel's File is vulnerable to directory traversal. Camel 2.21.0 to 2.21.3, 2.22.0 to 2.22.2, 2.23.0 and the unsupported Camel 2.x (2.19 and earlier) versions may be also affected.
CVE-2018-8041Sep 17, 2018
Apache
Apache Camel
risk 0.00cvss —epss 0.02
Apache Camel's Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path traversal.
CVE-2018-8027Jul 31, 2018
Apache
Camel
risk 0.00cvss —epss 0.03
Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.