This is an automated email from the ASF dual-hosted git repository. oscerd pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit 8e09c4f02e0a209cb04a39071393409389d4caf5 Author: Andrea Cosentino <[email protected]> AuthorDate: Mon Jun 15 12:27:06 2026 +0200 Added CVE-2026-48206 Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2026-48206.md | 17 +++++++++++++++++ content/security/CVE-2026-48206.txt.asc | 31 +++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/content/security/CVE-2026-48206.md b/content/security/CVE-2026-48206.md new file mode 100644 index 00000000..b210eb90 --- /dev/null +++ b/content/security/CVE-2026-48206.md @@ -0,0 +1,17 @@ +--- +title: "Apache Camel Security Advisory - CVE-2026-48206" +date: 2026-06-11T10:00:00+02:00 +url: /security/CVE-2026-48206.html +draft: false +type: security-advisory +cve: CVE-2026-48206 +severity: MEDIUM +summary: "Apache Camel: Camel-JIRA: A set of non-Camel-prefixed Exchange header constants (IssueKey, ProjectKey, IssueTransitionId, ...) bypass the HTTP header filter, allowing an HTTP client to drive arbitrary JIRA issue operations using the endpoint's configured credentials" +description: "The camel-jira producers read their operation parameters - the issue key, project key, transition id, summary, type, assignee, components, watchers, link type, work-log minutes and others - from Exchange message headers. The header constants defined in JiraConstants (for example ISSUE_KEY = IssueKey, ISSUE_PROJECT_KEY = ProjectKey, ISSUE_TRANSITION_ID = IssueTransitionId, LINK_TYPE = linkType) used plain, non-Camel-prefixed values. Because these names do not start with the [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive JIRA operations via the raw header names must use the CamelJira* names (for example CamelJiraIssueKey) instead of the old values. For deployments that cannot upgrade immediately, strip [...] +credit: "This issue was discovered by Yu Bao from PayPal" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +--- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23576 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23417 (commit 3240a174a3707ba2b1d893c4ac0880829e0c9233) and backported to camel-4.18.x (commit 024704f95f16d1260304054088fa0b34acb57ebf) and camel-4.14.x (commit 6863ea624605ab3fa8827c43a4c5df333f767dc4). The fix renames the camel-jira Exchange header constant values to the Camel [...] diff --git a/content/security/CVE-2026-48206.txt.asc b/content/security/CVE-2026-48206.txt.asc new file mode 100644 index 00000000..b2989423 --- /dev/null +++ b/content/security/CVE-2026-48206.txt.asc @@ -0,0 +1,31 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +- --- +title: "Apache Camel Security Advisory - CVE-2026-48206" +date: 2026-06-11T10:00:00+02:00 +url: /security/CVE-2026-48206.html +draft: false +type: security-advisory +cve: CVE-2026-48206 +severity: MEDIUM +summary: "Apache Camel: Camel-JIRA: A set of non-Camel-prefixed Exchange header constants (IssueKey, ProjectKey, IssueTransitionId, ...) bypass the HTTP header filter, allowing an HTTP client to drive arbitrary JIRA issue operations using the endpoint's configured credentials" +description: "The camel-jira producers read their operation parameters - the issue key, project key, transition id, summary, type, assignee, components, watchers, link type, work-log minutes and others - from Exchange message headers. The header constants defined in JiraConstants (for example ISSUE_KEY = IssueKey, ISSUE_PROJECT_KEY = ProjectKey, ISSUE_TRANSITION_ID = IssueTransitionId, LINK_TYPE = linkType) used plain, non-Camel-prefixed values. Because these names do not start with the [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive JIRA operations via the raw header names must use the CamelJira* names (for example CamelJiraIssueKey) instead of the old values. For deployments that cannot upgrade immediately, strip [...] +credit: "This issue was discovered by Yu Bao from PayPal" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +- --- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23576 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23417 (commit 3240a174a3707ba2b1d893c4ac0880829e0c9233) and backported to camel-4.18.x (commit 024704f95f16d1260304054088fa0b34acb57ebf) and camel-4.14.x (commit 6863ea624605ab3fa8827c43a4c5df333f767dc4). The fix renames the camel-jira Exchange header constant values to the Camel [...] +-----BEGIN PGP SIGNATURE----- + +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/ +QQAAuggArugs/6V+nI9LE0vFZajL+mLLpH+6xzPTWwVMGLBEiehpTn7DPGbMfLrq +5s2MZHhnr3Mk5EC2ZZtCBKUlbiECLiSR2v0hLFt58FJMjGY6oubYOYOyFhroZvjP +pq20roznx2oFcOWm9XEK9DN1CynNgpteWi0KKDUYQdK6pfSSvGgAKNl+he7RFgz9 +SuDXEGvNKx0PtUZms4sEWPPYhH2wykSqLvVpDVB95o1LeVc13ngp0kODKIcz9tpD +gpUR2v6mu80qLd3ZpmYL/zEjIhMB7Ewxq/1Rq/on1LdcCibrPMYreI3r9uVmUorZ +EUPO+IHUdPUPK0Ufy84VtaQt2oQd/A== +=WyJi +-----END PGP SIGNATURE-----
