This is an automated email from the ASF dual-hosted git repository.
acosentino pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git
The following commit(s) were added to refs/heads/main by this push:
new b46c3572 Upgrade CVE-2025-27636
b46c3572 is described below
commit b46c357282b016e9935cc22079dec5a0c5861ce7
Author: Andrea Cosentino <anco...@gmail.com>
AuthorDate: Mon Mar 10 12:54:43 2025 +0100
Upgrade CVE-2025-27636
Signed-off-by: Andrea Cosentino <anco...@gmail.com>
---
content/security/CVE-2025-27636.md | 4 ++--
content/security/CVE-2025-27636.txt.asc | 20 ++++++++++----------
2 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/content/security/CVE-2025-27636.md
b/content/security/CVE-2025-27636.md
index 3a1b86b0..3d7459f1 100644
--- a/content/security/CVE-2025-27636.md
+++ b/content/security/CVE-2025-27636.md
@@ -7,8 +7,7 @@ type: security-advisory
cve: CVE-2025-27636
severity: MODERATE
summary: "Apache Camel-Bean component: Camel Message Header Injection via
Improper Filtering"
-description: "This vulnerability is only present in the following situation.
The user is using one of the following HTTP Servers via one the of the
following Camel components: camel-servlet, camel-jetty, camel-undertow,
camel-platform-http and camel-netty-http and in the route, the exchange will be
routed to a camel-bean producer. So ONLY camel-bean component is affected. In
particular: The bean invocation (is only affected if you use any of the above
together with camel-bean component) [...]
-mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x
LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. Also, users could use
removeHeaders EIP, to filter out anything like 'cAmel, cAMEL' etc, or in
general everything not starting with 'Camel', 'camel' or 'org.apache.camel.'.
This vulnerability is present in Camel's default incoming header filter, that
allows an attacker to include Camel specific
+description: "This vulnerability is only present in the following situation.
The user is using one of the following HTTP Servers via one the of the
following Camel components: camel-servlet, camel-jetty, camel-undertow,
camel-platform-http and camel-netty-http and in the route, the exchange will be
routed to a camel-bean producer. So ONLY camel-bean component is affected. In
particular: The bean invocation (is only affected if you use any of the above
together with camel-bean component) [...]
headers that for some Camel components can alter the behaviours such as the
camel-bean component, to call another method
on the bean, than was coded in the application. In the camel-jms component,
then a mallicous header can be used to send
the message to another queue (on the same broker) than was coded in the
application.
@@ -45,6 +44,7 @@ camel-stomp
camel-tahu
camel-undertow
camel-xmpp"
+mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x
LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. Also, users could use
removeHeaders EIP, to filter out anything like 'cAmel, cAMEL' etc, or in
general everything not starting with 'Camel', 'camel' or 'org.apache.camel.'."
credit: "This issue was discovered by Mark Thorson of AT&T"
affected: Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5.
Apache Camel 3.10.0 before 3.22.4.
fixed: 3.22.4, 4.8.5 and 4.10.2
diff --git a/content/security/CVE-2025-27636.txt.asc
b/content/security/CVE-2025-27636.txt.asc
index 942770a0..7c494ae9 100644
--- a/content/security/CVE-2025-27636.txt.asc
+++ b/content/security/CVE-2025-27636.txt.asc
@@ -10,8 +10,7 @@ type: security-advisory
cve: CVE-2025-27636
severity: MODERATE
summary: "Apache Camel-Bean component: Camel Message Header Injection via
Improper Filtering"
-description: "This vulnerability is only present in the following situation.
The user is using one of the following HTTP Servers via one the of the
following Camel components: camel-servlet, camel-jetty, camel-undertow,
camel-platform-http and camel-netty-http and in the route, the exchange will be
routed to a camel-bean producer. So ONLY camel-bean component is affected. In
particular: The bean invocation (is only affected if you use any of the above
together with camel-bean component) [...]
-mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x
LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. Also, users could use
removeHeaders EIP, to filter out anything like 'cAmel, cAMEL' etc, or in
general everything not starting with 'Camel', 'camel' or 'org.apache.camel.'.
This vulnerability is present in Camel's default incoming header filter, that
allows an attacker to include Camel specific
+description: "This vulnerability is only present in the following situation.
The user is using one of the following HTTP Servers via one the of the
following Camel components: camel-servlet, camel-jetty, camel-undertow,
camel-platform-http and camel-netty-http and in the route, the exchange will be
routed to a camel-bean producer. So ONLY camel-bean component is affected. In
particular: The bean invocation (is only affected if you use any of the above
together with camel-bean component) [...]
headers that for some Camel components can alter the behaviours such as the
camel-bean component, to call another method
on the bean, than was coded in the application. In the camel-jms component,
then a mallicous header can be used to send
the message to another queue (on the same broker) than was coded in the
application.
@@ -48,6 +47,7 @@ camel-stomp
camel-tahu
camel-undertow
camel-xmpp"
+mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x
LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. Also, users could use
removeHeaders EIP, to filter out anything like 'cAmel, cAMEL' etc, or in
general everything not starting with 'Camel', 'camel' or 'org.apache.camel.'."
credit: "This issue was discovered by Mark Thorson of AT&T"
affected: Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5.
Apache Camel 3.10.0 before 3.22.4.
fixed: 3.22.4, 4.8.5 and 4.10.2
@@ -56,12 +56,12 @@ fixed: 3.22.4, 4.8.5 and 4.10.2
The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-21828 refers to
the various commits that resolved the issue, and have more details.
-----BEGIN PGP SIGNATURE-----
-iQEzBAEBCAAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmfO0nQACgkQ406fOAL/
-QQCU5AgAqPcA7MznNYjVcSA3EewFNfHjD8qxQY+BxiXUtR9p8yBw/EEvkOavs9od
-iKzV5GhlNsGUGHoGbTMc6RERTrk5uijBm8zA0FCaWuq9YlUreQZX+qnFWAEUi6nI
-lpHXyL1IGLI8WE6iszjk91HTdFr28+f87U3LqmAkKK6PPoeEiq714gxSVjO5BrC7
-gLwzgN3qoCJcTGxWbfpMttAMmHpRt6f+ZxKzQNbv6M0Qd9rbCMqPJ8QyMeZeTZMM
-4oECpBzdLmfFnCZawhIQwtuM1FZ0xfvpwl0rdpDfcGA12OouQPLDS+/vYE7ntN4J
-fV4x0qEmNtxYHeTEzBXzv4C7KiUaEQ==
-=tb1m
+iQEzBAEBCAAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmfO0wAACgkQ406fOAL/
+QQAGXAf+LVE8hHv9HIJh8LsQnj21zp4UvtnoPt3aPy3Dzto0PQko/QUIPGQK8FC2
+AoXJ1//EDPqUk2QpMlJ+k1pS2Lk9iojOc3sPgOxGK5beRK8eRYbD1HRKCn+hc7sW
+8TV7JnHRWX8CMPJsnpfjZsCsY5lNHhvSwcGzBxnnI5xGuxzWN7vEgb0rm1OoE+je
+CZx85sq3xmzlGEnTG/S+3CntMXDgjQtGqEogTjeYjuQZ7aqA2lf0Y2NbbeJGFRX8
+FJDbZbB9Wo9ULifMjG/A2gEPCklTIYPlhX6DJ5X1m7mF+5+IIeq9BEoruUCGF39T
+aniOWsxDSapjuM868karkwBh800Dhg==
+=zNda
-----END PGP SIGNATURE-----
