This is an automated email from the ASF dual-hosted git repository. oscerd pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit 0b3b95556ca793eb99a9cffa33a36e1d5da7f316 Author: Andrea Cosentino <[email protected]> AuthorDate: Mon Jun 15 12:27:06 2026 +0200 Added CVE-2026-46457 Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2026-46457.md | 17 +++++++++++++++++ content/security/CVE-2026-46457.txt.asc | 31 +++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/content/security/CVE-2026-46457.md b/content/security/CVE-2026-46457.md new file mode 100644 index 00000000..ceb07acd --- /dev/null +++ b/content/security/CVE-2026-46457.md @@ -0,0 +1,17 @@ +--- +title: "Apache Camel Security Advisory - CVE-2026-46457" +date: 2026-06-10T10:00:00+02:00 +url: /security/CVE-2026-46457.html +draft: false +type: security-advisory +cve: CVE-2026-46457 +severity: MEDIUM +summary: "Apache Camel: Camel-NATS: Inbound NATS message headers are mapped into the Exchange without a configured HeaderFilterStrategy, allowing a client that can publish to the subject to inject Camel control headers" +description: "The camel-nats component maps inbound NATS message headers into the Camel Exchange but defaulted its headerFilterStrategy to a bare new DefaultHeaderFilterStrategy() with no inbound rules configured (NatsConfiguration). With no inFilter, inFilterPattern or inFilterStartsWith set, DefaultHeaderFilterStrategy.applyFilterToExternalHeaders returns not filtered for every header name, so NatsConsumer copies every NATS message header - including Camel-internal control headers such [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes camel-nats default to a dedicated NatsHeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so client-supplied Camel* / camel* headers are no longer copied into [...] +credit: "This issue was discovered by Yu Bao from PayPal" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +--- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23515 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23233 (commit be8aad96fa04f81d2b58884e27ba6755c9ad2718) and backported to camel-4.18.x (commit 67f7ea7465a1bf637339975c69a82327890e22f0) and camel-4.14.x (commit f7022926ca9c1c94866bf32596c9869f424a3b2c). The issue is classified as CWE-20 (Improper Input Validation). It belongs t [...] diff --git a/content/security/CVE-2026-46457.txt.asc b/content/security/CVE-2026-46457.txt.asc new file mode 100644 index 00000000..44eda380 --- /dev/null +++ b/content/security/CVE-2026-46457.txt.asc @@ -0,0 +1,31 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +- --- +title: "Apache Camel Security Advisory - CVE-2026-46457" +date: 2026-06-10T10:00:00+02:00 +url: /security/CVE-2026-46457.html +draft: false +type: security-advisory +cve: CVE-2026-46457 +severity: MEDIUM +summary: "Apache Camel: Camel-NATS: Inbound NATS message headers are mapped into the Exchange without a configured HeaderFilterStrategy, allowing a client that can publish to the subject to inject Camel control headers" +description: "The camel-nats component maps inbound NATS message headers into the Camel Exchange but defaulted its headerFilterStrategy to a bare new DefaultHeaderFilterStrategy() with no inbound rules configured (NatsConfiguration). With no inFilter, inFilterPattern or inFilterStartsWith set, DefaultHeaderFilterStrategy.applyFilterToExternalHeaders returns not filtered for every header name, so NatsConsumer copies every NATS message header - including Camel-internal control headers such [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes camel-nats default to a dedicated NatsHeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so client-supplied Camel* / camel* headers are no longer copied into [...] +credit: "This issue was discovered by Yu Bao from PayPal" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +- --- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23515 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23233 (commit be8aad96fa04f81d2b58884e27ba6755c9ad2718) and backported to camel-4.18.x (commit 67f7ea7465a1bf637339975c69a82327890e22f0) and camel-4.14.x (commit f7022926ca9c1c94866bf32596c9869f424a3b2c). The issue is classified as CWE-20 (Improper Input Validation). It belongs t [...] +-----BEGIN PGP SIGNATURE----- + +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/ +QQB8aAf/QXfXf5rWo8cQuLMBTT17kUjxZZoV1O0hO4b2l7DoSnh3/3XJ7UcSMvw5 +vrUGZJHSyP6CJkH8JTC603D6xuud/L9zu9v5gK9Lo8fb/VecmHvl+KT7GkPUpDkk +Qpzm3bZmSveSRfA0NXKPTpQLtJxXmZslg5HR2qux83Ijy7aRSK5mY3+B/uyUxs2W +9qpf4MBmGpt7grnURud2opDhfCZWvi9a/D8SFiuSZTZthybWWVQ9AOV6e0STrvX0 +nwSSaqqtU0i3j2L3xFFZZnWzUGVLOZy2zzNxMUTSshf26358Wc+wPD1QNKjSLvrO +Evx24Bsxd+6xemJADqW0RSIDwfOc+g== +=y/w1 +-----END PGP SIGNATURE-----
