This is an automated email from the ASF dual-hosted git repository. oscerd pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit 326c43987a5e1dc838e139be997463f13a8a7b7b Author: Andrea Cosentino <[email protected]> AuthorDate: Mon Jun 15 12:26:46 2026 +0200 Added CVE-2026-40047 Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2026-40047.md | 19 +++++++++++++++++++ content/security/CVE-2026-40047.txt.asc | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) diff --git a/content/security/CVE-2026-40047.md b/content/security/CVE-2026-40047.md new file mode 100644 index 00000000..f5f51f85 --- /dev/null +++ b/content/security/CVE-2026-40047.md @@ -0,0 +1,19 @@ +--- +title: "Apache Camel Security Advisory - CVE-2026-40047" +date: 2026-06-09T10:00:00+02:00 +url: /security/CVE-2026-40047.html +draft: false +type: security-advisory +cve: CVE-2026-40047 +severity: MEDIUM +summary: "Camel-Docling: Insufficient validation of custom CLI arguments enables argument injection and path traversal in DoclingProducer" +description: "The camel-docling component invokes the external `docling` command-line tool by assembling an argument list in DoclingProducer and executing it through java.lang.ProcessBuilder. Custom CLI arguments supplied through the `CamelDoclingCustomArguments` exchange header (a List<String>) were appended to that argument list with insufficient validation: the original implementation relied on a denylist of disallowed flags and only rejected path values that contained a literal `../` [...] +mitigation: "Users are recommended to upgrade to a release that contains the CAMEL-23212 fix. On the mainline the fix is included from Apache Camel 4.19.0 (and later releases such as 4.20.0). For users on the 4.18.x LTS releases stream, upgrade to 4.18.3. The fix replaces the denylist with a strict allowlist of recognized `docling` CLI flags (rejecting any unrecognized flag, and rejecting producer-managed flags such as the output-directory flags), defensively rejects shell metacharacters [...] +credit: "This issue was discovered by Andrea Cosentino from Apache Software Foundation" +affected: From 4.15.0 before 4.18.3. +fixed: 4.18.3 and 4.19.0 +--- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23212 refers to the commits that resolved the issue, and has more details. + +The fix was merged on the main branch in https://github.com/apache/camel/pull/22082 (commit f86fda0442c65b9d13ce3aa8ac676233b64e3351) and is first available in the 4.19.0 release. The 4.18.x LTS backport is https://github.com/apache/camel/pull/22767 (commit 1fa56f45901f50aa79849ff2d2ca83dd57f6991c) and is included in the 4.18.3 release. diff --git a/content/security/CVE-2026-40047.txt.asc b/content/security/CVE-2026-40047.txt.asc new file mode 100644 index 00000000..c3a45889 --- /dev/null +++ b/content/security/CVE-2026-40047.txt.asc @@ -0,0 +1,33 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +- --- +title: "Apache Camel Security Advisory - CVE-2026-40047" +date: 2026-06-09T10:00:00+02:00 +url: /security/CVE-2026-40047.html +draft: false +type: security-advisory +cve: CVE-2026-40047 +severity: MEDIUM +summary: "Camel-Docling: Insufficient validation of custom CLI arguments enables argument injection and path traversal in DoclingProducer" +description: "The camel-docling component invokes the external `docling` command-line tool by assembling an argument list in DoclingProducer and executing it through java.lang.ProcessBuilder. Custom CLI arguments supplied through the `CamelDoclingCustomArguments` exchange header (a List<String>) were appended to that argument list with insufficient validation: the original implementation relied on a denylist of disallowed flags and only rejected path values that contained a literal `../` [...] +mitigation: "Users are recommended to upgrade to a release that contains the CAMEL-23212 fix. On the mainline the fix is included from Apache Camel 4.19.0 (and later releases such as 4.20.0). For users on the 4.18.x LTS releases stream, upgrade to 4.18.3. The fix replaces the denylist with a strict allowlist of recognized `docling` CLI flags (rejecting any unrecognized flag, and rejecting producer-managed flags such as the output-directory flags), defensively rejects shell metacharacters [...] +credit: "This issue was discovered by Andrea Cosentino from Apache Software Foundation" +affected: From 4.15.0 before 4.18.3. +fixed: 4.18.3 and 4.19.0 +- --- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23212 refers to the commits that resolved the issue, and has more details. + +The fix was merged on the main branch in https://github.com/apache/camel/pull/22082 (commit f86fda0442c65b9d13ce3aa8ac676233b64e3351) and is first available in the 4.19.0 release. The 4.18.x LTS backport is https://github.com/apache/camel/pull/22767 (commit 1fa56f45901f50aa79849ff2d2ca83dd57f6991c) and is included in the 4.18.3 release. +-----BEGIN PGP SIGNATURE----- + +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmonxIoACgkQ406fOAL/ +QQB6Rgf/W+8PipISDOVlnYXCzTzBhTgrj1o9agjzlU571G8hxJN9EMvK/w/B4iq4 +g43ehFioYgGlSSkzM2O7mg+bG+uE0BjW65JN1/NReAaEekBWMrgVXmqa6RXrsNcX +dfIPL9+z58cCclL/UZ/pHCzajuhV5j/CcUjuwSR9zjNgZNLmTSX9kjxk3zVRCN5n +pDtlGynJZzvv+ULT8ALLGAj2Mj+Kx3t9uHVo+Tqtrn1JjJaf8fbamimiGXQZuTDs +AT4kMnZS+fFE4whyp///1vTJemXF9aew7JArvRn+dPn/3dL5LIto3kVs2rxBAO7G +V2p9Qsb3wbH/bNMT0kMarGZRdY2Xaw== +=su0K +-----END PGP SIGNATURE-----
