This is an automated email from the ASF dual-hosted git repository.

oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git

commit 0b3b95556ca793eb99a9cffa33a36e1d5da7f316
Author: Andrea Cosentino <[email protected]>
AuthorDate: Mon Jun 15 12:27:06 2026 +0200

    Added CVE-2026-46457
    
    Signed-off-by: Andrea Cosentino <[email protected]>
---
 content/security/CVE-2026-46457.md      | 17 +++++++++++++++++
 content/security/CVE-2026-46457.txt.asc | 31 +++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/content/security/CVE-2026-46457.md 
b/content/security/CVE-2026-46457.md
new file mode 100644
index 00000000..ceb07acd
--- /dev/null
+++ b/content/security/CVE-2026-46457.md
@@ -0,0 +1,17 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-46457"
+date: 2026-06-10T10:00:00+02:00
+url: /security/CVE-2026-46457.html
+draft: false
+type: security-advisory
+cve: CVE-2026-46457
+severity: MEDIUM
+summary: "Apache Camel: Camel-NATS: Inbound NATS message headers are mapped 
into the Exchange without a configured HeaderFilterStrategy, allowing a client 
that can publish to the subject to inject Camel control headers"
+description: "The camel-nats component maps inbound NATS message headers into 
the Camel Exchange but defaulted its headerFilterStrategy to a bare new 
DefaultHeaderFilterStrategy() with no inbound rules configured 
(NatsConfiguration). With no inFilter, inFilterPattern or inFilterStartsWith 
set, DefaultHeaderFilterStrategy.applyFilterToExternalHeaders returns not 
filtered for every header name, so NatsConsumer copies every NATS message 
header - including Camel-internal control headers such [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. The fix makes camel-nats default 
to a dedicated NatsHeaderFilterStrategy that filters the Camel header namespace 
case-insensitively on inbound mapping, so client-supplied Camel* / camel* 
headers are no longer copied into [...]
+credit: "This issue was discovered by Yu Bao from PayPal"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23515 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23233 (commit 
be8aad96fa04f81d2b58884e27ba6755c9ad2718) and backported to camel-4.18.x 
(commit 67f7ea7465a1bf637339975c69a82327890e22f0) and camel-4.14.x (commit 
f7022926ca9c1c94866bf32596c9869f424a3b2c). The issue is classified as CWE-20 
(Improper Input Validation). It belongs t [...]
diff --git a/content/security/CVE-2026-46457.txt.asc 
b/content/security/CVE-2026-46457.txt.asc
new file mode 100644
index 00000000..44eda380
--- /dev/null
+++ b/content/security/CVE-2026-46457.txt.asc
@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-46457"
+date: 2026-06-10T10:00:00+02:00
+url: /security/CVE-2026-46457.html
+draft: false
+type: security-advisory
+cve: CVE-2026-46457
+severity: MEDIUM
+summary: "Apache Camel: Camel-NATS: Inbound NATS message headers are mapped 
into the Exchange without a configured HeaderFilterStrategy, allowing a client 
that can publish to the subject to inject Camel control headers"
+description: "The camel-nats component maps inbound NATS message headers into 
the Camel Exchange but defaulted its headerFilterStrategy to a bare new 
DefaultHeaderFilterStrategy() with no inbound rules configured 
(NatsConfiguration). With no inFilter, inFilterPattern or inFilterStartsWith 
set, DefaultHeaderFilterStrategy.applyFilterToExternalHeaders returns not 
filtered for every header name, so NatsConsumer copies every NATS message 
header - including Camel-internal control headers such [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. The fix makes camel-nats default 
to a dedicated NatsHeaderFilterStrategy that filters the Camel header namespace 
case-insensitively on inbound mapping, so client-supplied Camel* / camel* 
headers are no longer copied into [...]
+credit: "This issue was discovered by Yu Bao from PayPal"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23515 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23233 (commit 
be8aad96fa04f81d2b58884e27ba6755c9ad2718) and backported to camel-4.18.x 
(commit 67f7ea7465a1bf637339975c69a82327890e22f0) and camel-4.14.x (commit 
f7022926ca9c1c94866bf32596c9869f424a3b2c). The issue is classified as CWE-20 
(Improper Input Validation). It belongs t [...]
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/
+QQB8aAf/QXfXf5rWo8cQuLMBTT17kUjxZZoV1O0hO4b2l7DoSnh3/3XJ7UcSMvw5
+vrUGZJHSyP6CJkH8JTC603D6xuud/L9zu9v5gK9Lo8fb/VecmHvl+KT7GkPUpDkk
+Qpzm3bZmSveSRfA0NXKPTpQLtJxXmZslg5HR2qux83Ijy7aRSK5mY3+B/uyUxs2W
+9qpf4MBmGpt7grnURud2opDhfCZWvi9a/D8SFiuSZTZthybWWVQ9AOV6e0STrvX0
+nwSSaqqtU0i3j2L3xFFZZnWzUGVLOZy2zzNxMUTSshf26358Wc+wPD1QNKjSLvrO
+Evx24Bsxd+6xemJADqW0RSIDwfOc+g==
+=y/w1
+-----END PGP SIGNATURE-----

Reply via email to