This is an automated email from the ASF dual-hosted git repository.

oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git

commit 326c43987a5e1dc838e139be997463f13a8a7b7b
Author: Andrea Cosentino <[email protected]>
AuthorDate: Mon Jun 15 12:26:46 2026 +0200

    Added CVE-2026-40047
    
    Signed-off-by: Andrea Cosentino <[email protected]>
---
 content/security/CVE-2026-40047.md      | 19 +++++++++++++++++++
 content/security/CVE-2026-40047.txt.asc | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)

diff --git a/content/security/CVE-2026-40047.md 
b/content/security/CVE-2026-40047.md
new file mode 100644
index 00000000..f5f51f85
--- /dev/null
+++ b/content/security/CVE-2026-40047.md
@@ -0,0 +1,19 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-40047"
+date: 2026-06-09T10:00:00+02:00
+url: /security/CVE-2026-40047.html
+draft: false
+type: security-advisory
+cve: CVE-2026-40047
+severity: MEDIUM
+summary: "Camel-Docling: Insufficient validation of custom CLI arguments 
enables argument injection and path traversal in DoclingProducer"
+description: "The camel-docling component invokes the external `docling` 
command-line tool by assembling an argument list in DoclingProducer and 
executing it through java.lang.ProcessBuilder. Custom CLI arguments supplied 
through the `CamelDoclingCustomArguments` exchange header (a List<String>) were 
appended to that argument list with insufficient validation: the original 
implementation relied on a denylist of disallowed flags and only rejected path 
values that contained a literal `../` [...]
+mitigation: "Users are recommended to upgrade to a release that contains the 
CAMEL-23212 fix. On the mainline the fix is included from Apache Camel 4.19.0 
(and later releases such as 4.20.0). For users on the 4.18.x LTS releases 
stream, upgrade to 4.18.3. The fix replaces the denylist with a strict 
allowlist of recognized `docling` CLI flags (rejecting any unrecognized flag, 
and rejecting producer-managed flags such as the output-directory flags), 
defensively rejects shell metacharacters [...]
+credit: "This issue was discovered by Andrea Cosentino from Apache Software 
Foundation"
+affected: From 4.15.0 before 4.18.3.
+fixed: 4.18.3 and 4.19.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23212 refers to 
the commits that resolved the issue, and has more details.
+
+The fix was merged on the main branch in 
https://github.com/apache/camel/pull/22082 (commit 
f86fda0442c65b9d13ce3aa8ac676233b64e3351) and is first available in the 4.19.0 
release. The 4.18.x LTS backport is https://github.com/apache/camel/pull/22767 
(commit 1fa56f45901f50aa79849ff2d2ca83dd57f6991c) and is included in the 4.18.3 
release.
diff --git a/content/security/CVE-2026-40047.txt.asc 
b/content/security/CVE-2026-40047.txt.asc
new file mode 100644
index 00000000..c3a45889
--- /dev/null
+++ b/content/security/CVE-2026-40047.txt.asc
@@ -0,0 +1,33 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-40047"
+date: 2026-06-09T10:00:00+02:00
+url: /security/CVE-2026-40047.html
+draft: false
+type: security-advisory
+cve: CVE-2026-40047
+severity: MEDIUM
+summary: "Camel-Docling: Insufficient validation of custom CLI arguments 
enables argument injection and path traversal in DoclingProducer"
+description: "The camel-docling component invokes the external `docling` 
command-line tool by assembling an argument list in DoclingProducer and 
executing it through java.lang.ProcessBuilder. Custom CLI arguments supplied 
through the `CamelDoclingCustomArguments` exchange header (a List<String>) were 
appended to that argument list with insufficient validation: the original 
implementation relied on a denylist of disallowed flags and only rejected path 
values that contained a literal `../` [...]
+mitigation: "Users are recommended to upgrade to a release that contains the 
CAMEL-23212 fix. On the mainline the fix is included from Apache Camel 4.19.0 
(and later releases such as 4.20.0). For users on the 4.18.x LTS releases 
stream, upgrade to 4.18.3. The fix replaces the denylist with a strict 
allowlist of recognized `docling` CLI flags (rejecting any unrecognized flag, 
and rejecting producer-managed flags such as the output-directory flags), 
defensively rejects shell metacharacters [...]
+credit: "This issue was discovered by Andrea Cosentino from Apache Software 
Foundation"
+affected: From 4.15.0 before 4.18.3.
+fixed: 4.18.3 and 4.19.0
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23212 refers to 
the commits that resolved the issue, and has more details.
+
+The fix was merged on the main branch in 
https://github.com/apache/camel/pull/22082 (commit 
f86fda0442c65b9d13ce3aa8ac676233b64e3351) and is first available in the 4.19.0 
release. The 4.18.x LTS backport is https://github.com/apache/camel/pull/22767 
(commit 1fa56f45901f50aa79849ff2d2ca83dd57f6991c) and is included in the 4.18.3 
release.
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmonxIoACgkQ406fOAL/
+QQB6Rgf/W+8PipISDOVlnYXCzTzBhTgrj1o9agjzlU571G8hxJN9EMvK/w/B4iq4
+g43ehFioYgGlSSkzM2O7mg+bG+uE0BjW65JN1/NReAaEekBWMrgVXmqa6RXrsNcX
+dfIPL9+z58cCclL/UZ/pHCzajuhV5j/CcUjuwSR9zjNgZNLmTSX9kjxk3zVRCN5n
+pDtlGynJZzvv+ULT8ALLGAj2Mj+Kx3t9uHVo+Tqtrn1JjJaf8fbamimiGXQZuTDs
+AT4kMnZS+fFE4whyp///1vTJemXF9aew7JArvRn+dPn/3dL5LIto3kVs2rxBAO7G
+V2p9Qsb3wbH/bNMT0kMarGZRdY2Xaw==
+=su0K
+-----END PGP SIGNATURE-----

Reply via email to