(camel-website) branch main updated: Security Advisory for CVE-2025-27636 (#1319)

[acosentino]

This is an automated email from the ASF dual-hosted git repository.

acosentino pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git


The following commit(s) were added to refs/heads/main by this push:
     new 446c8872 Security Advisory for CVE-2025-27636 (#1319)
446c8872 is described below

commit 446c8872714f47912facd111917faccecd4bf4e3
Author: Andrea Cosentino <anco...@gmail.com>
AuthorDate: Sun Mar 9 12:54:01 2025 +0100

    Security Advisory for CVE-2025-27636 (#1319)
    
    Signed-off-by: Andrea Cosentino <anco...@gmail.com>
---
 content/security/CVE-2025-27636.md      | 17 +++++++++++++++++
 content/security/CVE-2025-27636.txt.asc | 31 +++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/content/security/CVE-2025-27636.md 
b/content/security/CVE-2025-27636.md
new file mode 100644
index 00000000..3c8e79c4
--- /dev/null
+++ b/content/security/CVE-2025-27636.md
@@ -0,0 +1,17 @@
+---
+title: "Apache Camel Security Advisory - CVE-2025-27636"
+date: 2025-03-09T04:30:42+02:00
+url: /security/CVE-2025-27636.html
+draft: false
+type: security-advisory
+cve: CVE-2025-27636
+severity: MODERATE
+summary: "Apache Camel: Camel Message Header Injection via Improper Filtering"
+description: "The default header filter strategy in Camel could be bypassed by 
altering the casing of letters. The default filtering mechanism that only 
blocks headers starting with 'Camel', 'camel', or 'org.apache.camel.'. This 
allows attackers to inject headers which can be exploited to invoke arbitrary 
methods from the Bean registry and also supports using Simple Expression 
Language (or OGNL in some cases) as part of the method parameters passed to the 
bean. It's important to note tha [...]
+mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x 
LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases."
+credit: "This issue was discovered by Mark Thorson of AT&T"
+affected: Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5. 
Apache Camel 3.10.0 before 3.22.4.
+fixed: 3.22.4, 4.8.5 and 4.10.2 
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-21828 refers to 
the various commits that resolved the issue, and have more details.
diff --git a/content/security/CVE-2025-27636.txt.asc 
b/content/security/CVE-2025-27636.txt.asc
new file mode 100644
index 00000000..67b4701a
--- /dev/null
+++ b/content/security/CVE-2025-27636.txt.asc
@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2025-27636"
+date: 2025-03-09T04:30:42+02:00
+url: /security/CVE-2025-27636.html
+draft: false
+type: security-advisory
+cve: CVE-2025-27636
+severity: MODERATE
+summary: "Apache Camel: Camel Message Header Injection via Improper Filtering"
+description: "The default header filter strategy in Camel could be bypassed by 
altering the casing of letters. The default filtering mechanism that only 
blocks headers starting with 'Camel', 'camel', or 'org.apache.camel.'. This 
allows attackers to inject headers which can be exploited to invoke arbitrary 
methods from the Bean registry and also supports using Simple Expression 
Language (or OGNL in some cases) as part of the method parameters passed to the 
bean. It's important to note tha [...]
+mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x 
LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases."
+credit: "This issue was discovered by Mark Thorson of AT&T"
+affected: Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5. 
Apache Camel 3.10.0 before 3.22.4.
+fixed: 3.22.4, 4.8.5 and 4.10.2 
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-21828 refers to 
the various commits that resolved the issue, and have more details.
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCAAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmfNc5IACgkQ406fOAL/
+QQBf3Qf7BIb5J4mT85gZHlcYtqGkUnS9BLJSAI2odYCy9M9bvskA9vIqVHLDPXrM
+YBKDaesnzGbdc9HFwJ9WLxKjwVjLfUL6UH02eSGrg2gHMKgMTvmumjLcHsYZIodl
+7ALbTjsU+RkdluDd9RUJylDGp8T7dFXPDs78adYNO5b+APdPk/jz1LpUQ1nCSzwV
+oOiiABPTJwK4qrPaWWApatbLYQulHsfWqXJ8guaeb/IbqV0u7jDD08/F5E1ph8AF
+zrrn4t4GLyU6OJUeiECy/ZP1w5MWzipt9cMPQn97oPbjJH4CGpQCS8pO6bMj5JXf
+/LITN6o6RMqDxSszdmF0UVfHbiCo8w==
+=KuUE
+-----END PGP SIGNATURE-----