(camel-website) branch main updated: Update CVE-2025-27636.txt.asc

Sun, 09 Mar 2025 08:07:31 -0700 

This is an automated email from the ASF dual-hosted git repository.

acosentino pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git


The following commit(s) were added to refs/heads/main by this push:
     new 8be683b1 Update CVE-2025-27636.txt.asc
8be683b1 is described below

commit 8be683b1ec7b12ea9834e987255087e51e558757
Author: Andrea Cosentino <anco...@gmail.com>
AuthorDate: Sun Mar 9 16:06:22 2025 +0100

    Update CVE-2025-27636.txt.asc
---
 content/security/CVE-2025-27636.txt.asc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/security/CVE-2025-27636.txt.asc 
b/content/security/CVE-2025-27636.txt.asc
index f812d8fd..8ed5635b 100644
--- a/content/security/CVE-2025-27636.txt.asc
+++ b/content/security/CVE-2025-27636.txt.asc
@@ -11,7 +11,7 @@ cve: CVE-2025-27636
 severity: MODERATE
 summary: "Apache Camel-Bean component: Camel Message Header Injection via 
Improper Filtering"
 description: "This vulnerability is only present in the following situation. 
The user is using one of the following HTTP Servers via one the of the 
following Camel components: camel-servlet, camel-jetty, camel-undertow, 
camel-platform-http and camel-netty-http and in the route, the exchange will be 
routed to a camel-bean producer. So ONLY camel-bean component is affected. In 
particular: The bean invocation (is only affected if you use any of the above 
together with camel-bean component)  [...]
-mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x 
LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. Also, users could use 
removeHeaders EIP, to filter out anything like "cAmel, cAMEL" etc, or in 
general everything not starting with 'Camel', 'camel' or 'org.apache.camel.'. "
+mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x 
LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. Also, users could use 
removeHeaders EIP, to filter out anything like 'cAmel, cAMEL' etc, or in 
general everything not starting with 'Camel', 'camel' or 'org.apache.camel.'. "
 credit: "This issue was discovered by Mark Thorson of AT&T"
 affected: Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5. 
Apache Camel 3.10.0 before 3.22.4.
 fixed: 3.22.4, 4.8.5 and 4.10.2

Reply via email to