This is an automated email from the ASF dual-hosted git repository.

oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git

commit 84679ba165ff4be32d5178819f71fbaa1823e5a7
Author: Andrea Cosentino <[email protected]>
AuthorDate: Mon Jun 15 12:27:07 2026 +0200

    Added CVE-2026-49365
    
    Signed-off-by: Andrea Cosentino <[email protected]>
---
 content/security/CVE-2026-49365.md      | 17 +++++++++++++++++
 content/security/CVE-2026-49365.txt.asc | 31 +++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/content/security/CVE-2026-49365.md 
b/content/security/CVE-2026-49365.md
new file mode 100644
index 00000000..7ba889c8
--- /dev/null
+++ b/content/security/CVE-2026-49365.md
@@ -0,0 +1,17 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-49365"
+date: 2026-06-11T10:00:00+02:00
+url: /security/CVE-2026-49365.html
+draft: false
+type: security-advisory
+cve: CVE-2026-49365
+severity: MEDIUM
+summary: "Apache Camel: Camel-Netty-HTTP and Camel-Undertow: The muteException 
consumer option defaulted to false, so a processing error returned the full 
Java stack trace in the HTTP response body, disclosing sensitive internal 
information to unauthenticated clients"
+description: "The camel-netty-http and camel-undertow HTTP server consumers 
expose a muteException option that controls what is returned to the client when 
a route processing error occurs. In both components this option defaulted to 
false - in camel-netty-http because the backing field was an uninitialised 
primitive boolean (Java's default of false), and in camel-undertow likewise - 
whereas the other Camel HTTP server components (camel-http / camel-jetty / 
camel-servlet and camel-platfor [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. For deployments that cannot 
upgrade immediately, set muteException=true explicitly on the camel-netty-http 
and camel-undertow consumers (for example 
netty-http:http://0.0.0.0:8080/api?muteException=true, or globally via  [...]
+credit: "This issue was discovered by Yu Bao from PayPal"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23651 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23913 (commit 
6cea553aa42ed1326ac57ad800d66674bc453932) and backported to camel-4.18.x 
(commit 1bd7389bd244da719404cf66d5b3676d41498bec) and camel-4.14.x (commit 
d3a13956ad2fd7280ad3ab678d79caf3bd0b4661). The fix aligns the muteException 
consumer-option default in camel-netty-htt [...]
diff --git a/content/security/CVE-2026-49365.txt.asc 
b/content/security/CVE-2026-49365.txt.asc
new file mode 100644
index 00000000..871599de
--- /dev/null
+++ b/content/security/CVE-2026-49365.txt.asc
@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-49365"
+date: 2026-06-11T10:00:00+02:00
+url: /security/CVE-2026-49365.html
+draft: false
+type: security-advisory
+cve: CVE-2026-49365
+severity: MEDIUM
+summary: "Apache Camel: Camel-Netty-HTTP and Camel-Undertow: The muteException 
consumer option defaulted to false, so a processing error returned the full 
Java stack trace in the HTTP response body, disclosing sensitive internal 
information to unauthenticated clients"
+description: "The camel-netty-http and camel-undertow HTTP server consumers 
expose a muteException option that controls what is returned to the client when 
a route processing error occurs. In both components this option defaulted to 
false - in camel-netty-http because the backing field was an uninitialised 
primitive boolean (Java's default of false), and in camel-undertow likewise - 
whereas the other Camel HTTP server components (camel-http / camel-jetty / 
camel-servlet and camel-platfor [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. For deployments that cannot 
upgrade immediately, set muteException=true explicitly on the camel-netty-http 
and camel-undertow consumers (for example 
netty-http:http://0.0.0.0:8080/api?muteException=true, or globally via  [...]
+credit: "This issue was discovered by Yu Bao from PayPal"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23651 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23913 (commit 
6cea553aa42ed1326ac57ad800d66674bc453932) and backported to camel-4.18.x 
(commit 1bd7389bd244da719404cf66d5b3676d41498bec) and camel-4.14.x (commit 
d3a13956ad2fd7280ad3ab678d79caf3bd0b4661). The fix aligns the muteException 
consumer-option default in camel-netty-htt [...]
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0oACgkQ406fOAL/
+QQAmrAgAlj+tDSZ4/gtiIW41O31rLAvgMJ0U0hVefE354YUob/ca1mNkk35EEsAk
+KdhXYXNTmN0ux4TIA5KvTCfGR4kp0jCBjShM4xOKZKNrSXWFoHoiUk/jn1CkYP8n
++JpIlc+33wqzCyWAkvgpJdfQdcaEeYoMP7WecWeX3hdF+QhvOr8veZXaDw2aMqug
+uDRoUiWuzHHQjPts/nU2YnDGg2wGutXS+NakFbxbiKD21mM0nXRBeipJ21lq5eZ8
+vb1s8jU0BFSlJPKjKTypQKZFVrssTnUmehbXwRh2192i7TxaxnlUVD7qvDjhxOL8
+ex6SFZqtL6S8hS/w/5q5CHL2Oo16TQ==
+=9yZh
+-----END PGP SIGNATURE-----

Reply via email to