This is an automated email from the ASF dual-hosted git repository.

oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git

commit 89cbc85d0df92514303d0ef37eab2e2a77cb9f7e
Author: Andrea Cosentino <[email protected]>
AuthorDate: Fri Jun 19 12:13:32 2026 +0200

    Add CVE-2026-56140 (camel-aws2-sns defense-in-depth hardening)
    
    CAMEL-23506 added an inbound Camel-namespace filter to 
Sns2HeaderFilterStrategy alongside the camel-aws2-sqs fix. camel-aws2-sns is 
producer-only (Sns2Endpoint.createConsumer throws 
UnsupportedOperationException), so there is no reachable inbound 
header-injection path; document this as a LOW-severity defense-in-depth 
hardening advisory rather than an exploitable vulnerability, cross-referencing 
the consumer-side camel-aws2-sqs issue CVE-2026-46456. Shares the same fix (PR 
apache/camel [...]
    
    Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
    Signed-off-by: Andrea Cosentino <[email protected]>
---
 content/security/CVE-2026-46456.md      |  2 +-
 content/security/CVE-2026-46456.txt.asc | 18 +++++++++---------
 content/security/CVE-2026-56140.md      | 17 +++++++++++++++++
 content/security/CVE-2026-56140.txt.asc | 31 +++++++++++++++++++++++++++++++
 4 files changed, 58 insertions(+), 10 deletions(-)

diff --git a/content/security/CVE-2026-46456.md 
b/content/security/CVE-2026-46456.md
index d1d5ac9f..cb22f1f2 100644
--- a/content/security/CVE-2026-46456.md
+++ b/content/security/CVE-2026-46456.md
@@ -14,4 +14,4 @@ affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 
4.18.3, from 4.19.0 befo
 fixed: 4.14.8, 4.18.3 and 4.21.0
 ---
 
-The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23506 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23221 (commit 
5f57258fb33d33ef99df10594f8fe9f11d7c2b7e) and backported to camel-4.18.x 
(commit 7b334be0419839097a132d4ff3427fc4083e695e) and camel-4.14.x (commit 
b7f78292e747a28dbf5da444265557b5f9f3c1a1). The issue is classified as CWE-20 
(Improper Input Validation). It belongs t [...]
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23506 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23221 (commit 
5f57258fb33d33ef99df10594f8fe9f11d7c2b7e) and backported to camel-4.18.x 
(commit 7b334be0419839097a132d4ff3427fc4083e695e) and camel-4.14.x (commit 
b7f78292e747a28dbf5da444265557b5f9f3c1a1). The issue is classified as CWE-20 
(Improper Input Validation). It belongs t [...]
diff --git a/content/security/CVE-2026-46456.txt.asc 
b/content/security/CVE-2026-46456.txt.asc
index 0d678e39..a4337324 100644
--- a/content/security/CVE-2026-46456.txt.asc
+++ b/content/security/CVE-2026-46456.txt.asc
@@ -17,15 +17,15 @@ affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 
4.18.3, from 4.19.0 befo
 fixed: 4.14.8, 4.18.3 and 4.21.0
 - ---
 
-The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23506 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23221 (commit 
5f57258fb33d33ef99df10594f8fe9f11d7c2b7e) and backported to camel-4.18.x 
(commit 7b334be0419839097a132d4ff3427fc4083e695e) and camel-4.14.x (commit 
b7f78292e747a28dbf5da444265557b5f9f3c1a1). The issue is classified as CWE-20 
(Improper Input Validation). It belongs t [...]
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23506 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23221 (commit 
5f57258fb33d33ef99df10594f8fe9f11d7c2b7e) and backported to camel-4.18.x 
(commit 7b334be0419839097a132d4ff3427fc4083e695e) and camel-4.14.x (commit 
b7f78292e747a28dbf5da444265557b5f9f3c1a1). The issue is classified as CWE-20 
(Improper Input Validation). It belongs t [...]
 -----BEGIN PGP SIGNATURE-----
 
-iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1gACgkQ406fOAL/
-QQCyvggAql9wHXpY/x2jlr01p999d4PwDHRN8mQhSR1eKA9FaZDPXttQcxtdTZNr
-qgxzjhO1hI24NT2O7gdCj9HVN1NVbXreNOF31twq0kAYalyuzJ+/CZ2HSvj4RPh1
-SwTLvHP1WLBZ6TEj6yWIPFMOLvzsj+shqhLoESqReo0QE9grx4rIe4AqYpzpmkGW
-qi9o9KmlnAmpa6oj0yIZQAexn1HSydy9PQ7XXisFB1AxvNBvmW1NlGIkLGdr+e9k
-HWPUCgObroupRRiUN/T+YuSNQILIzZLTrgrstPplJcDyAHJokhHSlmim9v87ey6e
-cJybqgoQuk4sf2/JPgWyizM4PvD/Xg==
-=0BwF
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmo1FZQACgkQ406fOAL/
+QQA2GwgAtv+cPj7UTlFy4uI/exPy9K6PDkLgzvZJozUp1/WOZUnmu9DK/fVp2yHG
+9gsET7HZ32I/PhRKL/eWqMzi2g30kYC4iDHzY7yexDDBTLR3WJD9uqZDd3gBveeC
+z9WF4Iki8Kxn+T8zQEVVYouqaXDxxlJbowwz/1DpPfAdoGVnf1mgwYbxQkserpvl
+CMmWCWYpcqeMwdwhym/FjgFT9dCf6Q8jqz3vFZUYFdCeEBFoib++OY3I7uBOaUW5
+U4ACPZtNFjp+5VmfVDIq0A7E8vUIh9xAr+UDKW5hNdZOuwCfRqgy1KNNUhv1SKda
+KGG4goSkEYuN/xrGzukDUiQGVAj8mA==
+=de39
 -----END PGP SIGNATURE-----
diff --git a/content/security/CVE-2026-56140.md 
b/content/security/CVE-2026-56140.md
new file mode 100644
index 00000000..cb4c6016
--- /dev/null
+++ b/content/security/CVE-2026-56140.md
@@ -0,0 +1,17 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-56140"
+date: 2026-06-18T10:00:00+02:00
+url: /security/CVE-2026-56140.html
+draft: false
+type: security-advisory
+cve: CVE-2026-56140
+severity: LOW
+summary: "Camel-AWS2-SNS: An inbound Camel-namespace filter was added to 
Sns2HeaderFilterStrategy to align it with sibling components; because 
camel-aws2-sns is producer-only (no consumer) there is no reachable inbound 
header-injection path, so this is a defense-in-depth hardening change related 
to the camel-aws2-sqs issue CVE-2026-46456"
+description: "The camel-aws2-sns component filters Camel headers through a 
component-specific HeaderFilterStrategy, Sns2HeaderFilterStrategy. Like the 
sibling Sqs2HeaderFilterStrategy, it originally configured only an outbound 
filter (setOutFilterPattern, which blocks Camel*, breadcrumbId and 
org.apache.camel.* headers from being written out) and did not configure an 
inbound filter rule. For the related camel-aws2-sqs component this inbound gap 
was exploitable, because the Sqs2Consumer m [...]
+mitigation: "This is a defense-in-depth hardening change with no known exploit 
path in camel-aws2-sns, which is producer-only, so no urgent action or 
workaround is required. Users who want the aligned behaviour can upgrade to 
version 4.21.0, or to 4.14.8 on the 4.14.x LTS releases stream, or to 4.18.3 on 
the 4.18.x releases stream, which contain the change. As a general best 
practice, operators should continue to apply least-privilege IAM permissions on 
their SNS topics."
+credit: "This issue was reported by Yu Bao from PayPal, alongside the related 
camel-aws2-sqs issue (CVE-2026-46456)"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23506 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23221 (commit 
5f57258fb33d33ef99df10594f8fe9f11d7c2b7e) and backported to camel-4.18.x 
(commit 7b334be0419839097a132d4ff3427fc4083e695e) and camel-4.14.x (commit 
b7f78292e747a28dbf5da444265557b5f9f3c1a1). The change adds 
setInFilterStartsWith for the Camel namespace to Sns2Header [...]
diff --git a/content/security/CVE-2026-56140.txt.asc 
b/content/security/CVE-2026-56140.txt.asc
new file mode 100644
index 00000000..536a8353
--- /dev/null
+++ b/content/security/CVE-2026-56140.txt.asc
@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-56140"
+date: 2026-06-18T10:00:00+02:00
+url: /security/CVE-2026-56140.html
+draft: false
+type: security-advisory
+cve: CVE-2026-56140
+severity: LOW
+summary: "Camel-AWS2-SNS: An inbound Camel-namespace filter was added to 
Sns2HeaderFilterStrategy to align it with sibling components; because 
camel-aws2-sns is producer-only (no consumer) there is no reachable inbound 
header-injection path, so this is a defense-in-depth hardening change related 
to the camel-aws2-sqs issue CVE-2026-46456"
+description: "The camel-aws2-sns component filters Camel headers through a 
component-specific HeaderFilterStrategy, Sns2HeaderFilterStrategy. Like the 
sibling Sqs2HeaderFilterStrategy, it originally configured only an outbound 
filter (setOutFilterPattern, which blocks Camel*, breadcrumbId and 
org.apache.camel.* headers from being written out) and did not configure an 
inbound filter rule. For the related camel-aws2-sqs component this inbound gap 
was exploitable, because the Sqs2Consumer m [...]
+mitigation: "This is a defense-in-depth hardening change with no known exploit 
path in camel-aws2-sns, which is producer-only, so no urgent action or 
workaround is required. Users who want the aligned behaviour can upgrade to 
version 4.21.0, or to 4.14.8 on the 4.14.x LTS releases stream, or to 4.18.3 on 
the 4.18.x releases stream, which contain the change. As a general best 
practice, operators should continue to apply least-privilege IAM permissions on 
their SNS topics."
+credit: "This issue was reported by Yu Bao from PayPal, alongside the related 
camel-aws2-sqs issue (CVE-2026-46456)"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23506 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23221 (commit 
5f57258fb33d33ef99df10594f8fe9f11d7c2b7e) and backported to camel-4.18.x 
(commit 7b334be0419839097a132d4ff3427fc4083e695e) and camel-4.14.x (commit 
b7f78292e747a28dbf5da444265557b5f9f3c1a1). The change adds 
setInFilterStartsWith for the Camel namespace to Sns2Header [...]
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmo1FZQACgkQ406fOAL/
+QQAxeAf+N04am8wKY2AE7xhjf4wNeC2K151K+sbZIVbeCBK9TgH1A/MkHMFn/d6X
+2XM6GaIkfzipkX4WUZ8IG8vD0YgR76GSv3FUKhG0lxamLcr6xiUNCxWxKeKerdqn
+r4kC6kG7c/o2pE4lyYV37o/7b1iNQ6LdpQAtv6C+jufVHLP10Q45pkn6dBFaNeHF
+f2cWjttdz+B4UvD2W8KJK3K0hUfWbzCNHuETqfrYiP1qIv4EwWipKy292HLmJBmZ
+XC4mHMvg56b8zF/yfi0aUCGB5u8IqdcSvKW6YzJmsT8rf+9gKFHKuXPcVlZHpoZ/
+LZIDXeNRx5KK1tHJwcGRISTDr25ung==
+=Ghkm
+-----END PGP SIGNATURE-----

Reply via email to