This is an automated email from the ASF dual-hosted git repository.

oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git

commit 8e09c4f02e0a209cb04a39071393409389d4caf5
Author: Andrea Cosentino <[email protected]>
AuthorDate: Mon Jun 15 12:27:06 2026 +0200

    Added CVE-2026-48206
    
    Signed-off-by: Andrea Cosentino <[email protected]>
---
 content/security/CVE-2026-48206.md      | 17 +++++++++++++++++
 content/security/CVE-2026-48206.txt.asc | 31 +++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/content/security/CVE-2026-48206.md 
b/content/security/CVE-2026-48206.md
new file mode 100644
index 00000000..b210eb90
--- /dev/null
+++ b/content/security/CVE-2026-48206.md
@@ -0,0 +1,17 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-48206"
+date: 2026-06-11T10:00:00+02:00
+url: /security/CVE-2026-48206.html
+draft: false
+type: security-advisory
+cve: CVE-2026-48206
+severity: MEDIUM
+summary: "Apache Camel: Camel-JIRA: A set of non-Camel-prefixed Exchange 
header constants (IssueKey, ProjectKey, IssueTransitionId, ...) bypass the HTTP 
header filter, allowing an HTTP client to drive arbitrary JIRA issue operations 
using the endpoint's configured credentials"
+description: "The camel-jira producers read their operation parameters - the 
issue key, project key, transition id, summary, type, assignee, components, 
watchers, link type, work-log minutes and others - from Exchange message 
headers. The header constants defined in JiraConstants (for example ISSUE_KEY = 
IssueKey, ISSUE_PROJECT_KEY = ProjectKey, ISSUE_TRANSITION_ID = 
IssueTransitionId, LINK_TYPE = linkType) used plain, non-Camel-prefixed values. 
Because these names do not start with the  [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. After upgrading, routes that 
drive JIRA operations via the raw header names must use the CamelJira* names 
(for example CamelJiraIssueKey) instead of the old values. For deployments that 
cannot upgrade immediately, strip  [...]
+credit: "This issue was discovered by Yu Bao from PayPal"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23576 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23417 (commit 
3240a174a3707ba2b1d893c4ac0880829e0c9233) and backported to camel-4.18.x 
(commit 024704f95f16d1260304054088fa0b34acb57ebf) and camel-4.14.x (commit 
6863ea624605ab3fa8827c43a4c5df333f767dc4). The fix renames the camel-jira 
Exchange header constant values to the Camel [...]
diff --git a/content/security/CVE-2026-48206.txt.asc 
b/content/security/CVE-2026-48206.txt.asc
new file mode 100644
index 00000000..b2989423
--- /dev/null
+++ b/content/security/CVE-2026-48206.txt.asc
@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-48206"
+date: 2026-06-11T10:00:00+02:00
+url: /security/CVE-2026-48206.html
+draft: false
+type: security-advisory
+cve: CVE-2026-48206
+severity: MEDIUM
+summary: "Apache Camel: Camel-JIRA: A set of non-Camel-prefixed Exchange 
header constants (IssueKey, ProjectKey, IssueTransitionId, ...) bypass the HTTP 
header filter, allowing an HTTP client to drive arbitrary JIRA issue operations 
using the endpoint's configured credentials"
+description: "The camel-jira producers read their operation parameters - the 
issue key, project key, transition id, summary, type, assignee, components, 
watchers, link type, work-log minutes and others - from Exchange message 
headers. The header constants defined in JiraConstants (for example ISSUE_KEY = 
IssueKey, ISSUE_PROJECT_KEY = ProjectKey, ISSUE_TRANSITION_ID = 
IssueTransitionId, LINK_TYPE = linkType) used plain, non-Camel-prefixed values. 
Because these names do not start with the  [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. After upgrading, routes that 
drive JIRA operations via the raw header names must use the CamelJira* names 
(for example CamelJiraIssueKey) instead of the old values. For deployments that 
cannot upgrade immediately, strip  [...]
+credit: "This issue was discovered by Yu Bao from PayPal"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23576 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23417 (commit 
3240a174a3707ba2b1d893c4ac0880829e0c9233) and backported to camel-4.18.x 
(commit 024704f95f16d1260304054088fa0b34acb57ebf) and camel-4.14.x (commit 
6863ea624605ab3fa8827c43a4c5df333f767dc4). The fix renames the camel-jira 
Exchange header constant values to the Camel [...]
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/
+QQAAuggArugs/6V+nI9LE0vFZajL+mLLpH+6xzPTWwVMGLBEiehpTn7DPGbMfLrq
+5s2MZHhnr3Mk5EC2ZZtCBKUlbiECLiSR2v0hLFt58FJMjGY6oubYOYOyFhroZvjP
+pq20roznx2oFcOWm9XEK9DN1CynNgpteWi0KKDUYQdK6pfSSvGgAKNl+he7RFgz9
+SuDXEGvNKx0PtUZms4sEWPPYhH2wykSqLvVpDVB95o1LeVc13ngp0kODKIcz9tpD
+gpUR2v6mu80qLd3ZpmYL/zEjIhMB7Ewxq/1Rq/on1LdcCibrPMYreI3r9uVmUorZ
+EUPO+IHUdPUPK0Ufy84VtaQt2oQd/A==
+=WyJi
+-----END PGP SIGNATURE-----

Reply via email to