This is an automated email from the ASF dual-hosted git repository.
acosentino pushed a commit to branch CVE-2025-30177
in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit c0d88af2c8944dec9ebee3bf027d6622c6a277cb
Author: Andrea Cosentino <anco...@gmail.com>
AuthorDate: Tue Apr 1 12:11:49 2025 +0200
Added Security Advisory for CVE-2025-30177
Signed-off-by: Andrea Cosentino <anco...@gmail.com>
---
content/security/CVE-2025-30177.md | 18 ++++++++++++++++++
content/security/CVE-2025-30177.txt.asc | 32 ++++++++++++++++++++++++++++++++
2 files changed, 50 insertions(+)
diff --git a/content/security/CVE-2025-30177.md
b/content/security/CVE-2025-30177.md
new file mode 100644
index 00000000..2170dd87
--- /dev/null
+++ b/content/security/CVE-2025-30177.md
@@ -0,0 +1,18 @@
+---
+title: "Apache Camel Security Advisory - CVE-2025-30177"
+date: 2025-04-01T07:30:42+02:00
+url: /security/CVE-2025-30177.html
+draft: false
+type: security-advisory
+cve: CVE-2025-30177
+severity: MEDIUM
+summary: "Camel-Undertow Message Header Injection via Improper Filtering"
+description: "Camel undertow component is vulnerable to Camel message header
injection, in particular the custom header filter strategy used by the
component only filter the "out" direction, while it doesn't filter the "in"
direction.This allows an attacker to include Camel specific headers that for
some Camel components can alter the behaviours such as the camel-bean
component, or the camel-exec component."
+mitigation: "Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS
and 4.8.6 for 4.8.x LTS."
+credit: "This issue was discovered and reported by Mark Thorson of AT&T."
+affected: Apache Camel 4.10.0 before 4.10.3. Apache Camel 4.8.0 before 4.8.6.
+fixed: 4.8.6 and 4.10.3
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-21876 refers to
the commit that resolved the issue, and have more details.
+This CVE is related to the CVE-2025-27636 and CVE-2025-29891.
diff --git a/content/security/CVE-2025-30177.txt.asc
b/content/security/CVE-2025-30177.txt.asc
new file mode 100644
index 00000000..1a5b6d50
--- /dev/null
+++ b/content/security/CVE-2025-30177.txt.asc
@@ -0,0 +1,32 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2025-30177"
+date: 2025-04-01T07:30:42+02:00
+url: /security/CVE-2025-30177.html
+draft: false
+type: security-advisory
+cve: CVE-2025-30177
+severity: MEDIUM
+summary: "Camel-Undertow Message Header Injection via Improper Filtering"
+description: "Camel undertow component is vulnerable to Camel message header
injection, in particular the custom header filter strategy used by the
component only filter the "out" direction, while it doesn't filter the "in"
direction.This allows an attacker to include Camel specific headers that for
some Camel components can alter the behaviours such as the camel-bean
component, or the camel-exec component."
+mitigation: "Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS
and 4.8.6 for 4.8.x LTS."
+credit: "This issue was discovered and reported by Mark Thorson of AT&T."
+affected: Apache Camel 4.10.0 before 4.10.3. Apache Camel 4.8.0 before 4.8.6.
+fixed: 4.8.6 and 4.10.3
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-21876 refers to
the commit that resolved the issue, and have more details.
+This CVE is related to the CVE-2025-27636 and CVE-2025-29891.
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCAAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmfru8QACgkQ406fOAL/
+QQAUUwgAscNOr82n65rdFrPRISN4iNLPL8uDtUjBpfROgQBu2vRn6Uk/Me+tIRR4
+lPOP0k8kKwdkjsJB1RqrhvPWsVcLfBap9J22m91HTv/k7Ijz4nZqqJWIqV1sy2+T
+0DQP+vGFmxVnhE3ySizKVj38TW03jPdRE+FizTNWWm5T1ikKPITcy4MN2ChvjnN+
+R1uDdm7n0BwCmI+IeKlBI9ZZ2gXfNiwi3u8XXerv77t7PmNwT7m0ms559U7hmduO
+eIqsztK2ZBwghtMooXzsJIFyZnWliuh0Avbejt3Q8jMQ7T9fjJi2ZXYbkyflU1Yj
+nfZi/viGEpTzoBS3FaEtGbVGPnJUiw==
+=u83l
+-----END PGP SIGNATURE-----
