(camel-website) branch main updated: Update CVE-2025-27636.md

Sun, 09 Mar 2025 08:26:27 -0700 

This is an automated email from the ASF dual-hosted git repository.

acosentino pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git


The following commit(s) were added to refs/heads/main by this push:
     new b7ef03c9 Update CVE-2025-27636.md
b7ef03c9 is described below

commit b7ef03c99edf6600a332b3abba8761118401cc8f
Author: Andrea Cosentino <anco...@gmail.com>
AuthorDate: Sun Mar 9 16:05:53 2025 +0100

    Update CVE-2025-27636.md
---
 content/security/CVE-2025-27636.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/security/CVE-2025-27636.md 
b/content/security/CVE-2025-27636.md
index 85712858..9dfa4bdb 100644
--- a/content/security/CVE-2025-27636.md
+++ b/content/security/CVE-2025-27636.md
@@ -8,7 +8,7 @@ cve: CVE-2025-27636
 severity: MODERATE
 summary: "Apache Camel-Bean component: Camel Message Header Injection via 
Improper Filtering"
 description: "This vulnerability is only present in the following situation. 
The user is using one of the following HTTP Servers via one the of the 
following Camel components: camel-servlet, camel-jetty, camel-undertow, 
camel-platform-http and camel-netty-http and in the route, the exchange will be 
routed to a camel-bean producer. So ONLY camel-bean component is affected. In 
particular: The bean invocation (is only affected if you use any of the above 
together with camel-bean component)  [...]
-mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x 
LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. Also, users could use 
removeHeaders EIP, to filter out anything like "cAmel, cAMEL" etc, or in 
general everything not starting with 'Camel', 'camel' or 'org.apache.camel.'. "
+mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x 
LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. Also, users could use 
removeHeaders EIP, to filter out anything like 'cAmel, cAMEL' etc, or in 
general everything not starting with 'Camel', 'camel' or 'org.apache.camel.'. "
 credit: "This issue was discovered by Mark Thorson of AT&T"
 affected: Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5. 
Apache Camel 3.10.0 before 3.22.4.
 fixed: 3.22.4, 4.8.5 and 4.10.2

Reply via email to