Apache Camel’s Validation Component is vulnerable against SSRF via remote DTDs and XXE, as described in CVE-2017-5643
To protect against such attacks the system should be updated to Akka 2.4.20, 2.5.4 or later. Dependencies to Camel libraries should be updated to version 2.17.7.
The CVSS score of this vulnerability is 7.4 (High), according to CVE-2017-5643.
We have prepared patches for the affected versions, and have released the following versions which resolve the issue:
We would like to thank Thomas Szymanski for bringing this issue to our attention.