This is an automated email from the ASF dual-hosted git repository. oscerd pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit 8866379a24218d16c26c4ddcd9f5bbc2888e5afb Author: Andrea Cosentino <[email protected]> AuthorDate: Wed Jun 17 15:41:11 2026 +0200 Removed redundant "Apache Camel:" prefix from June 2026 CVE advisory summaries Stripped the leading "Apache Camel: " from the summary field of the 23 security advisories added in June 2026, since the prefix is redundant on the Apache Camel security pages. Regenerated and re-signed each matching .txt.asc clearsigned file from the updated .md using the original advisory key (27663406EB6DBAF5291F2615E34E9F3802FF4100, SHA512), so the signed copies stay in sync. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2026-40859.md | 2 +- content/security/CVE-2026-40859.txt.asc | 18 +++++++++--------- content/security/CVE-2026-43865.md | 2 +- content/security/CVE-2026-43865.txt.asc | 18 +++++++++--------- content/security/CVE-2026-46453.md | 2 +- content/security/CVE-2026-46453.txt.asc | 18 +++++++++--------- content/security/CVE-2026-46454.md | 2 +- content/security/CVE-2026-46454.txt.asc | 18 +++++++++--------- content/security/CVE-2026-46455.md | 2 +- content/security/CVE-2026-46455.txt.asc | 18 +++++++++--------- content/security/CVE-2026-46456.md | 2 +- content/security/CVE-2026-46456.txt.asc | 18 +++++++++--------- content/security/CVE-2026-46457.md | 2 +- content/security/CVE-2026-46457.txt.asc | 18 +++++++++--------- content/security/CVE-2026-46584.md | 2 +- content/security/CVE-2026-46584.txt.asc | 18 +++++++++--------- content/security/CVE-2026-46585.md | 2 +- content/security/CVE-2026-46585.txt.asc | 18 +++++++++--------- content/security/CVE-2026-46590.md | 2 +- content/security/CVE-2026-46590.txt.asc | 18 +++++++++--------- content/security/CVE-2026-46591.md | 2 +- content/security/CVE-2026-46591.txt.asc | 18 +++++++++--------- content/security/CVE-2026-46592.md | 2 +- content/security/CVE-2026-46592.txt.asc | 18 +++++++++--------- content/security/CVE-2026-46726.md | 2 +- content/security/CVE-2026-46726.txt.asc | 18 +++++++++--------- content/security/CVE-2026-48203.md | 2 +- content/security/CVE-2026-48203.txt.asc | 18 +++++++++--------- content/security/CVE-2026-48204.md | 2 +- content/security/CVE-2026-48204.txt.asc | 18 +++++++++--------- content/security/CVE-2026-48205.md | 2 +- content/security/CVE-2026-48205.txt.asc | 18 +++++++++--------- content/security/CVE-2026-48206.md | 2 +- content/security/CVE-2026-48206.txt.asc | 18 +++++++++--------- content/security/CVE-2026-49086.md | 2 +- content/security/CVE-2026-49086.txt.asc | 18 +++++++++--------- content/security/CVE-2026-49097.md | 2 +- content/security/CVE-2026-49097.txt.asc | 18 +++++++++--------- content/security/CVE-2026-49098.md | 2 +- content/security/CVE-2026-49098.txt.asc | 18 +++++++++--------- content/security/CVE-2026-49099.md | 2 +- content/security/CVE-2026-49099.txt.asc | 18 +++++++++--------- content/security/CVE-2026-49365.md | 2 +- content/security/CVE-2026-49365.txt.asc | 18 +++++++++--------- content/security/CVE-2026-53913.md | 2 +- content/security/CVE-2026-53913.txt.asc | 18 +++++++++--------- 46 files changed, 230 insertions(+), 230 deletions(-) diff --git a/content/security/CVE-2026-40859.md b/content/security/CVE-2026-40859.md index 331bcb8d..0925b1cd 100644 --- a/content/security/CVE-2026-40859.md +++ b/content/security/CVE-2026-40859.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-40859 severity: MEDIUM -summary: "Apache Camel: Camel-Vertx-Http and Camel-Netty-Http: Unsafe Java deserialization of HTTP response bodies via a raw ObjectInputStream when transferException is enabled" +summary: "Camel-Vertx-Http and Camel-Netty-Http: Unsafe Java deserialization of HTTP response bodies via a raw ObjectInputStream when transferException is enabled" description: "The camel-vertx-http and camel-netty-http components deserialize HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter (VertxHttpHelper.deserializeJavaObjectFromStream and NettyHttpHelper.deserializeJavaObjectFromStream). This deserialization path is reached only when the producer endpoint is configured with transferException=true (or the component-level allowJavaSeri [...] mitigation: "Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the deserialization performed by both helper utilities is constrained by a default ObjectInputFilter (allow-list java.**;javax.**;org.apache.camel.**;!*), which can be customised through the new deserial [...] credit: "This issue was discovered by Venkatraman Kumar from Securin" diff --git a/content/security/CVE-2026-40859.txt.asc b/content/security/CVE-2026-40859.txt.asc index 49dada4d..a13b1cef 100644 --- a/content/security/CVE-2026-40859.txt.asc +++ b/content/security/CVE-2026-40859.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-40859 severity: MEDIUM -summary: "Apache Camel: Camel-Vertx-Http and Camel-Netty-Http: Unsafe Java deserialization of HTTP response bodies via a raw ObjectInputStream when transferException is enabled" +summary: "Camel-Vertx-Http and Camel-Netty-Http: Unsafe Java deserialization of HTTP response bodies via a raw ObjectInputStream when transferException is enabled" description: "The camel-vertx-http and camel-netty-http components deserialize HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter (VertxHttpHelper.deserializeJavaObjectFromStream and NettyHttpHelper.deserializeJavaObjectFromStream). This deserialization path is reached only when the producer endpoint is configured with transferException=true (or the component-level allowJavaSeri [...] mitigation: "Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the deserialization performed by both helper utilities is constrained by a default ObjectInputFilter (allow-list java.**;javax.**;org.apache.camel.**;!*), which can be customised through the new deserial [...] credit: "This issue was discovered by Venkatraman Kumar from Securin" @@ -20,12 +20,12 @@ fixed: 4.14.8, 4.18.3 and 4.20.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23324 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/22613 (commit e735f56b4bcae040a6a113a83bf08d41b8696c43, released in 4.20.0) and backported to camel-4.18.x (commit a3835afef108fef9eaf04165faed91784889407f, PR #22637) and camel-4.14.x (commit 04019cf90a4b09e263d2df4ad4cacea85a9d72ee, PR #22768). Exploitation requires the non-def [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovy7sACgkQ406fOAL/ -QQDUsgf/VKtr0Ly6x5Hfj7x0Dpn3ZUJaSKW6Zk4pFpYstbxHXj5xKaHi4839gtJN -ygGgz9x7nQuRdsuAMZgeZb923OM2X87O4EyX+sNqAkDlSijMN3VNVgMyt4Wi5fbb -NlCaWTRVwcUoEfkuYm68wVXxfkO5ecbvJ06BmCL0fU1rVfSLWjHv3jWWMUYosneW -BdZ0f3L7iJaGxC/SldSxespbIx2q6STo1nRF6u9zb2BXGhA1tq5+ztXssd2eKB/z -32YPpog5R4ptnliA228FWR8Nr+m9mVjgfsKVgJT+fhGTiwVzln2KT+cueqmnvmsQ -lRSPYRYDNabYquXxH0AfJWgGWL/uMQ== -=RXFq +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1gACgkQ406fOAL/ +QQCI/Af7BEYPiylFrYj4t+6AasXVYgUAw5A9AVZ63zB9svw/d4CCGG38hTHTc8aD +SJ+1zE5e444dGG0DLHwauQm/46N+Seh1m90SHc13fGYz/eUGzuashb3dO3VOiaLn +tHBJmoUeNl7CGnFAuVFg1o5ISualI24WWMVP23uZAgFpWPIiZ6Uxi0uAF+J5YhUK +xJpkP7e2AT+tzkOluFnIKzmewIYoFmzFDJ+glhoTpTgF424aLpeopBQMais6mn56 +POnaWy8bGcHb93DZJX1PKJZHB/xrogABUuIm8XDKX9xuVJVgL5eOZUzyA31POH8p +NPHIBUNlymSRkSQrTev0fd0AFcVzJw== +=z6i8 -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-43865.md b/content/security/CVE-2026-43865.md index e379a29e..3816671b 100644 --- a/content/security/CVE-2026-43865.md +++ b/content/security/CVE-2026-43865.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-43865 severity: MEDIUM -summary: "Apache Camel: Camel-Hazelcast: Unsafe Java deserialization in default-configured managed Hazelcast instances enables remote code execution" +summary: "Camel-Hazelcast: Unsafe Java deserialization in default-configured managed Hazelcast instances enables remote code execution" description: "The camel-hazelcast component creates and manages Hazelcast instances using a default configuration that applies no Java deserialization filter. When Camel builds the Hazelcast Config itself - that is, when no user-supplied HazelcastInstance, hazelcastConfigUri, or referenced Config bean is provided - neither Hazelcast's JavaSerializationFilterConfig nor a Camel-side ObjectInputFilter is configured, so objects received over the Hazelcast cluster protocol are deserialized in [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes Camel apply a default Hazelcast JavaSerializationFilterConfig (whitelisting the java., javax. and org.apache.camel. class-name prefixes and blacklisting java.net.) to instances it creates from its own defau [...] credit: "This issue was discovered by gaorenyusi" diff --git a/content/security/CVE-2026-43865.txt.asc b/content/security/CVE-2026-43865.txt.asc index 850b811d..0b90239d 100644 --- a/content/security/CVE-2026-43865.txt.asc +++ b/content/security/CVE-2026-43865.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-43865 severity: MEDIUM -summary: "Apache Camel: Camel-Hazelcast: Unsafe Java deserialization in default-configured managed Hazelcast instances enables remote code execution" +summary: "Camel-Hazelcast: Unsafe Java deserialization in default-configured managed Hazelcast instances enables remote code execution" description: "The camel-hazelcast component creates and manages Hazelcast instances using a default configuration that applies no Java deserialization filter. When Camel builds the Hazelcast Config itself - that is, when no user-supplied HazelcastInstance, hazelcastConfigUri, or referenced Config bean is provided - neither Hazelcast's JavaSerializationFilterConfig nor a Camel-side ObjectInputFilter is configured, so objects received over the Hazelcast cluster protocol are deserialized in [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes Camel apply a default Hazelcast JavaSerializationFilterConfig (whitelisting the java., javax. and org.apache.camel. class-name prefixes and blacklisting java.net.) to instances it creates from its own defau [...] credit: "This issue was discovered by gaorenyusi" @@ -20,12 +20,12 @@ fixed: 4.14.8, 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23414 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/22943 (commit 7a309042f22493082647a410d9d8cafd672b1c74) and backported to camel-4.18.x (commit 5caf4368551f6d3b61690d5db03869491390d446) and camel-4.14.x (commit 974a11b5ed5e2d50722f33aa48f61898395ea45b). This issue is distinct from the Hazelcast library deserialization advisorie [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovy8AACgkQ406fOAL/ -QQD7JAf/YgC+G4HXeCYgWMqvG1pTCU0Ql0U+lwH96AwFBlAaK/mIl7oVER9+/AqY -LI7LU52ZQ9e9rv8tFhRc6F6DyRXtLx2rXG4zmPiq+ResF4X8unYUDQgXSYdgp1AN -Qvygd6toAQs1/i1Ox1RAeU+/+qS6RxEvWf/rbvQxjeEWZVyMnmHCt5EO9KPL4PRA -RxSnKiyXGERdSga1XnesUQgtolAyLk/OAth0CJjVzuAUTAHdHmC0ZOhGApIM5lkS -uyzogTHlMS0LXLYkghIhmsyRbnUaJSZsuL1NsOA3gyPEzaXsiXKWEAw7JWo1jAoS -S4ytZVtWnX5veJNAJub41Ni61XoxOg== -=y0Ru +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1gACgkQ406fOAL/ +QQC3aQf+J/TnVKZ57Thfhkxm1tkg0ApytR715TjMTazsGIH49J6d1ImumKuGDLKa +7Tdj1ZPfDhOpca3wclTjCgw0ELR1benN4fLMmGmXV30ukIhQkpCUqoBo9dOS4lPX +vA/A0Z+lpcLoGGyIp0mOlZr0YfMKaMor10KI2Hp3MeXJuzAbW8PyekkywfoWW+ze +XAhc7sCZvbLAroNwP203RBfMjVmYhUKl9+TnRf30HVXD6dCeJp30oByqC+5Miyr8 +RphtOfFNiZpSzgcEdsoUl7Qz8sDZ4nhPjLYuNTONSsDZp/aVLJVN+lAk3Yynw3Q5 +s/FpR1j0k2ogeH/k1cNXsaFOe+kUWQ== +=i3eL -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-46453.md b/content/security/CVE-2026-46453.md index 0fc58149..fe3dea88 100644 --- a/content/security/CVE-2026-46453.md +++ b/content/security/CVE-2026-46453.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-46453 severity: MEDIUM -summary: "Apache Camel: Camel-Elasticsearch-Rest-Client: Exchange header constants without the Camel prefix bypass inbound HTTP header filtering, allowing untrusted clients to override the Elasticsearch query and operation" +summary: "Camel-Elasticsearch-Rest-Client: Exchange header constants without the Camel prefix bypass inbound HTTP header filtering, allowing untrusted clients to override the Elasticsearch query and operation" description: "The camel-elasticsearch-rest-client component reads several Exchange headers to control its behaviour - SEARCH_QUERY (an advanced query body), OPERATION (which Elasticsearch operation to run), INDEX_NAME, INDEX_SETTINGS and ID. The string values of these header constants, defined in ElasticSearchRestClientConstant, are plain unprefixed names ('SEARCH_QUERY', 'OPERATION', 'INDEX_NAME', 'INDEX_SETTINGS', 'ID') rather than the 'Camel'-prefixed names used by every other Camel c [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix renames the camel-elasticsearch-rest-client Exchange header constant string values (ID, SEARCH_QUERY, INDEX_SETTINGS, INDEX_NAME, OPERATION) to carry the Camel prefix (CamelElasticsearchId, CamelElasticsearchSear [...] credit: "This issue was discovered by Yu Bao from PayPal" diff --git a/content/security/CVE-2026-46453.txt.asc b/content/security/CVE-2026-46453.txt.asc index 58350af7..40075449 100644 --- a/content/security/CVE-2026-46453.txt.asc +++ b/content/security/CVE-2026-46453.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-46453 severity: MEDIUM -summary: "Apache Camel: Camel-Elasticsearch-Rest-Client: Exchange header constants without the Camel prefix bypass inbound HTTP header filtering, allowing untrusted clients to override the Elasticsearch query and operation" +summary: "Camel-Elasticsearch-Rest-Client: Exchange header constants without the Camel prefix bypass inbound HTTP header filtering, allowing untrusted clients to override the Elasticsearch query and operation" description: "The camel-elasticsearch-rest-client component reads several Exchange headers to control its behaviour - SEARCH_QUERY (an advanced query body), OPERATION (which Elasticsearch operation to run), INDEX_NAME, INDEX_SETTINGS and ID. The string values of these header constants, defined in ElasticSearchRestClientConstant, are plain unprefixed names ('SEARCH_QUERY', 'OPERATION', 'INDEX_NAME', 'INDEX_SETTINGS', 'ID') rather than the 'Camel'-prefixed names used by every other Camel c [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix renames the camel-elasticsearch-rest-client Exchange header constant string values (ID, SEARCH_QUERY, INDEX_SETTINGS, INDEX_NAME, OPERATION) to carry the Camel prefix (CamelElasticsearchId, CamelElasticsearchSear [...] credit: "This issue was discovered by Yu Bao from PayPal" @@ -20,12 +20,12 @@ fixed: 4.14.8, 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23508 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23212 (commit 81f3a625c8853d6dff5fd748a0da9dba259c4076) and backported to camel-4.18.x (commit ff88400e3a95af16e17d553b34d3752d96496c5d, PR #23244) and camel-4.14.x (commit 0a87d31c8d19f59da4a5477bde192cc258ecc5d7, PR #23360). The issue is classified as CWE-20 (Improper Input Val [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovy8EACgkQ406fOAL/ -QQAFEAgAhox0nKt3x1kgCiO+K6E7x1TMOP5lvJgVc/jWdw66LONWrPYyrBR8Q9Il -6xref4IIj3IxfyEyzyRFSDtowLhkouwhepZF02QWSo9HXMpCjraYHdf0or6JCoD0 -VW7yFzfjImth+DCeOXyj+P77O2VESa0BA+wM4VwZ4qjXXcGA9yr+YbZvUGMkG7Op -fz6PsxtgLkUbZbqJn+1RKAKRn9AMyH01qtwna5aSuCia9aZiEfsTYefqMG74E6l7 -B2rIfvzdteXfvQuzCDSIbkAP0OIKBlxXrUki++d242MvqoiLGmOrMpZjHo3z0GQt -nPQ3nrXhkjhzlqJV+RtpAI5leGvPng== -=2lE+ +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1gACgkQ406fOAL/ +QQDamggAqGeXRUdFnHe6nDcu+ASEi6M3OLc0YzpB3/RU/gfJrEo4rCwqN/TnTJIb ++jBYw8SkJ0D9oj/XKcdGV6A7UXxR1ZZHb7O+e16+PnPOLzsaBx/lKanwipWTFHUG +Xu2cLWZJLs9xAGqUL0HvyUSiXYBZca2Ri/17TFoj5Ua8boVmfaRD8yoC3A9WAbmG +T+m6hacARTh9xd8v/G2TE0bGtNgqxD520BDOlLHMJyAy2dRvXR2F8HFt09EedxQ3 +FFpSTFEyrLtXi1I/oeMZ633Tv8VrKjAdZiNeYcVDBFkN95cZautgR09WV5geiTuW +5Pk0e66vZGB668e31TCXFz5tw4kneQ== +=v1L2 -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-46454.md b/content/security/CVE-2026-46454.md index 885beb9c..e9ee312c 100644 --- a/content/security/CVE-2026-46454.md +++ b/content/security/CVE-2026-46454.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-46454 severity: MEDIUM -summary: "Apache Camel: Camel-Cometd: Inbound Bayeux message headers are mapped into the Exchange without a HeaderFilterStrategy, allowing unauthenticated clients to inject Camel control headers" +summary: "Camel-Cometd: Inbound Bayeux message headers are mapped into the Exchange without a HeaderFilterStrategy, allowing unauthenticated clients to inject Camel control headers" description: "The camel-cometd component maps inbound Bayeux (CometD) message headers into the Camel Exchange without applying a HeaderFilterStrategy. CometdBinding.populateExchangeFromMessage copies the entire ext.CamelHeaders map supplied by the CometD client directly onto the Camel message (message.setHeaders), so any header name - including Camel-internal control headers such as CamelHttpUri, CamelFileName or CamelJmsDestinationName - is accepted unmodified. Because a CometdComponent [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix implements a HeaderFilterStrategy in the camel-cometd binding (a long-standing TODO in the code) that filters the Camel header namespace case-insensitively on inbound mapping, so client-supplied Camel* / camel* h [...] credit: "This issue was discovered by Yu Bao from PayPal" diff --git a/content/security/CVE-2026-46454.txt.asc b/content/security/CVE-2026-46454.txt.asc index 42de74ba..6b9cfffa 100644 --- a/content/security/CVE-2026-46454.txt.asc +++ b/content/security/CVE-2026-46454.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-46454 severity: MEDIUM -summary: "Apache Camel: Camel-Cometd: Inbound Bayeux message headers are mapped into the Exchange without a HeaderFilterStrategy, allowing unauthenticated clients to inject Camel control headers" +summary: "Camel-Cometd: Inbound Bayeux message headers are mapped into the Exchange without a HeaderFilterStrategy, allowing unauthenticated clients to inject Camel control headers" description: "The camel-cometd component maps inbound Bayeux (CometD) message headers into the Camel Exchange without applying a HeaderFilterStrategy. CometdBinding.populateExchangeFromMessage copies the entire ext.CamelHeaders map supplied by the CometD client directly onto the Camel message (message.setHeaders), so any header name - including Camel-internal control headers such as CamelHttpUri, CamelFileName or CamelJmsDestinationName - is accepted unmodified. Because a CometdComponent [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix implements a HeaderFilterStrategy in the camel-cometd binding (a long-standing TODO in the code) that filters the Camel header namespace case-insensitively on inbound mapping, so client-supplied Camel* / camel* h [...] credit: "This issue was discovered by Yu Bao from PayPal" @@ -20,12 +20,12 @@ fixed: 4.14.8, 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23507 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23211 (commit e20bdc2a6a3fd1128bcebe1b64c8e8589f0bc57d) and backported to camel-4.18.x (commit e9c741b4908dcffc0e1a7b1a5e6207a46aaac608) and camel-4.14.x (commit 6fad391f9f5257b93ce07d9b8e5e7f486210d4f5). The issue is classified as CWE-20 (Improper Input Validation). It belongs t [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovy8EACgkQ406fOAL/ -QQCnzwgAt/h8xwSJISKfmphsT4XxME4V/Oj3EGg6VJXV+Om+8MdIgFqyqEo648Oq -klXgDf1MHjSkS/xmQXwZLY0rIkbiiXH/Xklo9Vr1un9I5R+ntuHJ32FwizoQuYWp -9UjZH60CGLmrHM8uvdHzINm6alCLitLoLo7vRg0W/yrWI6OVdFNeZP5iCDtSyLvw -Q4/GtYwVsi5xakzhgLE1kkWu9h1Mi2cKqg6PR2cuqj93EENPL7VFkD7f5BVO3qp4 -5biPUMOxoKfPaCtTrdGsm7p+2pYygDSQetu0gywOEBmOdIfe/VjwoqGpK/VhpFXZ -/NqWn4BL7iUoreZWfC8et9Rod96ykQ== -=h2kJ +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1gACgkQ406fOAL/ +QQB3NggAglQ6mf5GsX6ZvYP3oQ5G1UOT6gj4A8Es96Da+1jz6tM2bQSu1TQvHXqm +W/FDia5jm8e8+FmlXXv7kQlUy0K3EqMeAq1E3i9LCmKYQLFx+fcSJ1H9a4WrT376 +cGZg0CGB2dlYMdGrevcGek40l3BMzbwyM5CqqigBDiJGJETWmLObiLTxenWUYoNf +diPLOMrGh+YNdw12RFRuLtzUizpgBnyPJnnSbfGbJRUvZoSo9jn5Ng5PhB1Q8yow +IGG+Vfnq5hAgLB21LmFVqeG6lHpCqdk63XbMGbPx31Tbsp5AX1vDFx6RbqN0nx+L +nxrzyTMYoYBChnanLJ75Cst6kKLkDQ== +=U8FA -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-46455.md b/content/security/CVE-2026-46455.md index 87624d68..f654d67e 100644 --- a/content/security/CVE-2026-46455.md +++ b/content/security/CVE-2026-46455.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-46455 severity: MEDIUM -summary: "Apache Camel: Camel-Keycloak: The access-token validity window is not verified because the IS_ACTIVE check is missing from the TokenVerifier, allowing expired tokens to be accepted" +summary: "Camel-Keycloak: The access-token validity window is not verified because the IS_ACTIVE check is missing from the TokenVerifier, allowing expired tokens to be accepted" description: "The camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks(...) with only the subject-exists check and the realm-URL (issuer) check. Keycloak's TokenVerifier.withChecks(...) appends to an initially empty check list - the upstream default checks are installed only when withDefaultChecks() is called - so the built-in IS_ACTIVE predicate, which validates the token's exp (expiration) and nbf (not-before) [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes KeycloakSecurityHelper.parseAndVerifyAccessToken include the TokenVerifier.IS_ACTIVE check so that expired or not-yet-valid access tokens are rejected, aligning the helper with Keycloak's default check set. For deployments that cannot upgrade immediately, enforce token expiration outside the helper [...] credit: "This issue was discovered by Andrea Cosentino from Apache Software Foundation and Yu Bao from Paypal" diff --git a/content/security/CVE-2026-46455.txt.asc b/content/security/CVE-2026-46455.txt.asc index 1fd1ebea..082b7a9d 100644 --- a/content/security/CVE-2026-46455.txt.asc +++ b/content/security/CVE-2026-46455.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-46455 severity: MEDIUM -summary: "Apache Camel: Camel-Keycloak: The access-token validity window is not verified because the IS_ACTIVE check is missing from the TokenVerifier, allowing expired tokens to be accepted" +summary: "Camel-Keycloak: The access-token validity window is not verified because the IS_ACTIVE check is missing from the TokenVerifier, allowing expired tokens to be accepted" description: "The camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks(...) with only the subject-exists check and the realm-URL (issuer) check. Keycloak's TokenVerifier.withChecks(...) appends to an initially empty check list - the upstream default checks are installed only when withDefaultChecks() is called - so the built-in IS_ACTIVE predicate, which validates the token's exp (expiration) and nbf (not-before) [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes KeycloakSecurityHelper.parseAndVerifyAccessToken include the TokenVerifier.IS_ACTIVE check so that expired or not-yet-valid access tokens are rejected, aligning the helper with Keycloak's default check set. For deployments that cannot upgrade immediately, enforce token expiration outside the helper [...] credit: "This issue was discovered by Andrea Cosentino from Apache Software Foundation and Yu Bao from Paypal" @@ -20,12 +20,12 @@ fixed: 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23504 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23197 (commit 39133b1ada37c60dea53f3b7db720dbd2ae73fa6) and backported to camel-4.18.x (commit 7f4c4736021aff4fad925eca3bf456b95db038f3, PR #23204). The fix adds TokenVerifier.IS_ACTIVE to the withChecks(...) invocation so the token's validity window (exp/nbf) is enforced alongsi [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovy8EACgkQ406fOAL/ -QQDKjQf/eWUv1jZGzXHjjyMgnq+rzZNRYr24rzJfNrYKRJqRlCnAz+j8DZvZk2zc -8U6L23FX6HlSaHtuHCR+/EneCOkV5xaLmELY0Wh20ixHdvvjLBkzbcEuX4odWmwO -2vVOvqZVQK4zluYvefygMh98m2lBYA8sSU+ATNZWOHJqibZF6F+i0qKtVUYVtPOh -NPS1j6NtsXsur7N79XQSkRfZIvJh+0I0+GyAh9GvyT0lZBi7wE7aOdtDscLMkcea -rbSb1SQ+BT0HOkbQuBPtqdJsrnwhDWxFPCeaHrFM3vyXG0fDhUqBqzz42ugPbg10 -KmQYoF9RVPeRsbiwvwXw5k2Tn19pBg== -=eZ3j +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1gACgkQ406fOAL/ +QQDo8wf/XBm1JBWDXpdGCgvc8oWwUxantkITRlC4p8kocMB7ZZxYPcn8uf507aJU +N63qPGxNHKc0o+cA0uzHR7TzHvc7KnsSAQz9EV+6K6xHRE2IEcWcK/MEg+6f4orQ +brZ1YQi1M2uAWaW3iv8lSxrcPye/nJrgW6lTFugKzTXlHjxGddNpGs/IdqvlaPe3 +lEM31FJilb5+AF+8iKVW+6R5eOlFI0nEKg5SuwmTzYNgul7Y5gj1V5i+H2Dz0J/b +8ve3rA3+l/K3dKf2yr2p7SxNN2SICT35NpwNKR/dCN8W1fcAQHRsRD+RVAOm64lN +sx5nc9uePTl4X9S4ChdpFjXV/+a0oA== +=l9Wj -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-46456.md b/content/security/CVE-2026-46456.md index 4aefe784..d1d5ac9f 100644 --- a/content/security/CVE-2026-46456.md +++ b/content/security/CVE-2026-46456.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-46456 severity: MEDIUM -summary: "Apache Camel: Camel-AWS2-SQS: Inbound message attributes are mapped into the Exchange without an inbound HeaderFilterStrategy, allowing a message sender to inject Camel control headers" +summary: "Camel-AWS2-SQS: Inbound message attributes are mapped into the Exchange without an inbound HeaderFilterStrategy, allowing a message sender to inject Camel control headers" description: "The camel-aws2-sqs component maps inbound message attributes into the Camel Exchange through a component-specific HeaderFilterStrategy. Sqs2HeaderFilterStrategy configured only an outbound filter (setOutFilterPattern, which blocks Camel*, breadcrumbId and org.apache.camel.* headers being written to the broker) but did not configure an inbound filter. As a result, when Sqs2Consumer copies each SQS MessageAttribute into the Exchange via HeaderFilterStrategy.applyFilterToExter [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix adds an inbound HeaderFilterStrategy rule to Sqs2HeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so sender-supplied Camel* / camel* headers are no longer copied [...] credit: "This issue was discovered by Yu Bao from PayPal" diff --git a/content/security/CVE-2026-46456.txt.asc b/content/security/CVE-2026-46456.txt.asc index 6b395a44..0d678e39 100644 --- a/content/security/CVE-2026-46456.txt.asc +++ b/content/security/CVE-2026-46456.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-46456 severity: MEDIUM -summary: "Apache Camel: Camel-AWS2-SQS: Inbound message attributes are mapped into the Exchange without an inbound HeaderFilterStrategy, allowing a message sender to inject Camel control headers" +summary: "Camel-AWS2-SQS: Inbound message attributes are mapped into the Exchange without an inbound HeaderFilterStrategy, allowing a message sender to inject Camel control headers" description: "The camel-aws2-sqs component maps inbound message attributes into the Camel Exchange through a component-specific HeaderFilterStrategy. Sqs2HeaderFilterStrategy configured only an outbound filter (setOutFilterPattern, which blocks Camel*, breadcrumbId and org.apache.camel.* headers being written to the broker) but did not configure an inbound filter. As a result, when Sqs2Consumer copies each SQS MessageAttribute into the Exchange via HeaderFilterStrategy.applyFilterToExter [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix adds an inbound HeaderFilterStrategy rule to Sqs2HeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so sender-supplied Camel* / camel* headers are no longer copied [...] credit: "This issue was discovered by Yu Bao from PayPal" @@ -20,12 +20,12 @@ fixed: 4.14.8, 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23506 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23221 (commit 5f57258fb33d33ef99df10594f8fe9f11d7c2b7e) and backported to camel-4.18.x (commit 7b334be0419839097a132d4ff3427fc4083e695e) and camel-4.14.x (commit b7f78292e747a28dbf5da444265557b5f9f3c1a1). The issue is classified as CWE-20 (Improper Input Validation). It belongs t [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0QACgkQ406fOAL/ -QQBxdwf/UgsFkSaK6vTC9glRWLySFdR725HGT1GtGPb/zkpbAVATc3xPwd+sy7ca -8ZwQOFUj/XkpBS1+i92HqTejbXaGD0zs0MDYJeDd6RgWUmTa/W1ibk/NpY3bOLiQ -V5VOdNQTIn8lF+gKYVTuVtlTRUkMZjiwEZCroG5kZcnyBL40JxdaH8PObPFTM+vp -dSB6LOMd40Bl6pLj5ocvoZ1ipPqZEIb000r6H6eBVLC/MrByXIlCcHQ9Q5IGqkWX -7ui30RQG/QnGKuZGFXTts6o0fil5vDfKrdYV9UCOIGTSWrxxiT56T/JsiHN0LOVb -yaDWfQQcbZnf6f4lsXHUU1TUNIGUTA== -=U/lk +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1gACgkQ406fOAL/ +QQCyvggAql9wHXpY/x2jlr01p999d4PwDHRN8mQhSR1eKA9FaZDPXttQcxtdTZNr +qgxzjhO1hI24NT2O7gdCj9HVN1NVbXreNOF31twq0kAYalyuzJ+/CZ2HSvj4RPh1 +SwTLvHP1WLBZ6TEj6yWIPFMOLvzsj+shqhLoESqReo0QE9grx4rIe4AqYpzpmkGW +qi9o9KmlnAmpa6oj0yIZQAexn1HSydy9PQ7XXisFB1AxvNBvmW1NlGIkLGdr+e9k +HWPUCgObroupRRiUN/T+YuSNQILIzZLTrgrstPplJcDyAHJokhHSlmim9v87ey6e +cJybqgoQuk4sf2/JPgWyizM4PvD/Xg== +=0BwF -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-46457.md b/content/security/CVE-2026-46457.md index ceb07acd..c36eeb23 100644 --- a/content/security/CVE-2026-46457.md +++ b/content/security/CVE-2026-46457.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-46457 severity: MEDIUM -summary: "Apache Camel: Camel-NATS: Inbound NATS message headers are mapped into the Exchange without a configured HeaderFilterStrategy, allowing a client that can publish to the subject to inject Camel control headers" +summary: "Camel-NATS: Inbound NATS message headers are mapped into the Exchange without a configured HeaderFilterStrategy, allowing a client that can publish to the subject to inject Camel control headers" description: "The camel-nats component maps inbound NATS message headers into the Camel Exchange but defaulted its headerFilterStrategy to a bare new DefaultHeaderFilterStrategy() with no inbound rules configured (NatsConfiguration). With no inFilter, inFilterPattern or inFilterStartsWith set, DefaultHeaderFilterStrategy.applyFilterToExternalHeaders returns not filtered for every header name, so NatsConsumer copies every NATS message header - including Camel-internal control headers such [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes camel-nats default to a dedicated NatsHeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so client-supplied Camel* / camel* headers are no longer copied into [...] credit: "This issue was discovered by Yu Bao from PayPal" diff --git a/content/security/CVE-2026-46457.txt.asc b/content/security/CVE-2026-46457.txt.asc index 44eda380..0edd208a 100644 --- a/content/security/CVE-2026-46457.txt.asc +++ b/content/security/CVE-2026-46457.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-46457 severity: MEDIUM -summary: "Apache Camel: Camel-NATS: Inbound NATS message headers are mapped into the Exchange without a configured HeaderFilterStrategy, allowing a client that can publish to the subject to inject Camel control headers" +summary: "Camel-NATS: Inbound NATS message headers are mapped into the Exchange without a configured HeaderFilterStrategy, allowing a client that can publish to the subject to inject Camel control headers" description: "The camel-nats component maps inbound NATS message headers into the Camel Exchange but defaulted its headerFilterStrategy to a bare new DefaultHeaderFilterStrategy() with no inbound rules configured (NatsConfiguration). With no inFilter, inFilterPattern or inFilterStartsWith set, DefaultHeaderFilterStrategy.applyFilterToExternalHeaders returns not filtered for every header name, so NatsConsumer copies every NATS message header - including Camel-internal control headers such [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes camel-nats default to a dedicated NatsHeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so client-supplied Camel* / camel* headers are no longer copied into [...] credit: "This issue was discovered by Yu Bao from PayPal" @@ -20,12 +20,12 @@ fixed: 4.14.8, 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23515 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23233 (commit be8aad96fa04f81d2b58884e27ba6755c9ad2718) and backported to camel-4.18.x (commit 67f7ea7465a1bf637339975c69a82327890e22f0) and camel-4.14.x (commit f7022926ca9c1c94866bf32596c9869f424a3b2c). The issue is classified as CWE-20 (Improper Input Validation). It belongs t [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/ -QQB8aAf/QXfXf5rWo8cQuLMBTT17kUjxZZoV1O0hO4b2l7DoSnh3/3XJ7UcSMvw5 -vrUGZJHSyP6CJkH8JTC603D6xuud/L9zu9v5gK9Lo8fb/VecmHvl+KT7GkPUpDkk -Qpzm3bZmSveSRfA0NXKPTpQLtJxXmZslg5HR2qux83Ijy7aRSK5mY3+B/uyUxs2W -9qpf4MBmGpt7grnURud2opDhfCZWvi9a/D8SFiuSZTZthybWWVQ9AOV6e0STrvX0 -nwSSaqqtU0i3j2L3xFFZZnWzUGVLOZy2zzNxMUTSshf26358Wc+wPD1QNKjSLvrO -Evx24Bsxd+6xemJADqW0RSIDwfOc+g== -=y/w1 +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1gACgkQ406fOAL/ +QQDzTQgAr9BVaoZjAaIwiL4/8uNezA7wVscghYmsDf4Y6w3cOdFLsslmOm0Lfj3k +01d/e+fy+Asyo3TNOl9/qQ1NC+Zfw+fVOBOiTHh4z9s33hsCROc9I9SQjU3GOawZ +wXWIs0t5hR/VoPz59CVP9gP90utERQvXdUztYa1PIE+2KO4gkCPeDByUTnrbJ78P +M091Hvq9CHPkah+VThF9AWvc+EwGzcLu/9718vtqjDEH14r/YzXvFOFHJamiA7Zg +dq37whL34QCciN7dUF30yNa1lUttQxM5Lf+jwRljQlNyXtwM+s6fRSRhrTLEQK0R +ZyS4JO+MArhrOdTqpPVPiegFYpD9kQ== +=mCP5 -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-46584.md b/content/security/CVE-2026-46584.md index 23e644ef..6023a364 100644 --- a/content/security/CVE-2026-46584.md +++ b/content/security/CVE-2026-46584.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-46584 severity: MEDIUM -summary: "Apache Camel: Camel-Mail: The mail producer applied attacker-supplied mail.smtp.* / mail.smtps.* message headers as JavaMail session properties, allowing an attacker to weaken the SMTP transport security and, on releases before 4.19.0, redirect the connection and steal the configured SMTP credentials" +summary: "Camel-Mail: The mail producer applied attacker-supplied mail.smtp.* / mail.smtps.* message headers as JavaMail session properties, allowing an attacker to weaken the SMTP transport security and, on releases before 4.19.0, redirect the connection and steal the configured SMTP credentials" description: "The camel-mail producer (MailProducer.getSender) scanned the outgoing Exchange for message headers in the mail.smtp. / mail.smtps. namespace and, when any were present, built a per-message JavaMail sender with those values applied as JavaMail session properties, overriding the endpoint configuration. This namespace is Camel-internal - only MailProducer interprets it - and was not blocked by any HeaderFilterStrategy, so the values could originate from any inbound protocol (f [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the per-message override is disabled by default; enable it only on trusted endpoints with useJavaMailSessionPropertiesFromHeaders=true. For deployments that cannot upgrade immediately, strip the namespac [...] credit: "This issue was discovered by Yu Bao from PayPal" diff --git a/content/security/CVE-2026-46584.txt.asc b/content/security/CVE-2026-46584.txt.asc index 16888bc4..9051ba15 100644 --- a/content/security/CVE-2026-46584.txt.asc +++ b/content/security/CVE-2026-46584.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-46584 severity: MEDIUM -summary: "Apache Camel: Camel-Mail: The mail producer applied attacker-supplied mail.smtp.* / mail.smtps.* message headers as JavaMail session properties, allowing an attacker to weaken the SMTP transport security and, on releases before 4.19.0, redirect the connection and steal the configured SMTP credentials" +summary: "Camel-Mail: The mail producer applied attacker-supplied mail.smtp.* / mail.smtps.* message headers as JavaMail session properties, allowing an attacker to weaken the SMTP transport security and, on releases before 4.19.0, redirect the connection and steal the configured SMTP credentials" description: "The camel-mail producer (MailProducer.getSender) scanned the outgoing Exchange for message headers in the mail.smtp. / mail.smtps. namespace and, when any were present, built a per-message JavaMail sender with those values applied as JavaMail session properties, overriding the endpoint configuration. This namespace is Camel-internal - only MailProducer interprets it - and was not blocked by any HeaderFilterStrategy, so the values could originate from any inbound protocol (f [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the per-message override is disabled by default; enable it only on trusted endpoints with useJavaMailSessionPropertiesFromHeaders=true. For deployments that cannot upgrade immediately, strip the namespac [...] credit: "This issue was discovered by Yu Bao from PayPal" @@ -20,12 +20,12 @@ fixed: 4.14.8, 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23522 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23362 (commit 1e31abca3213cde447a2ded1adc070ffec6836f1) and backported to camel-4.18.x (commit 725175e3aa16216361acc8497345f8e00536d2e0) and camel-4.14.x (commit 2d2815d256068f15d42da3af27fa86fb5efad2ab). The fix gates the per-message JavaMail session-property override behind a n [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/ -QQDMJQf9GjkfokoQKuFxNlvSJLF6Y5Y5W/4GOogvmeotH/raojPaMIbG3wx9crKt -i1LnogtEM8e1+7eUxfNdztrfUIow4T+/2wnSgBdhOaH83oyAZ6sxdXd6eFZn2RFn -dzotNlQ/ugOff/G7GrBgfQLIJJwdHb8DrJL7RgCidTcv38GdbkaDPsesaI0XS178 -TBhWaENPKcxpPrrPLLKytWvaa7WOFS1DIgBf2RxvtX7aL7YXF5KqxUQeoizjzvhh -pgGRQSOVT74KoB7fjNewszWXgV0g3kCyeCIbNUHLtkCkgdqMGFvfyHw0OwRvEs4J -1Gs2pOrjek13YNYkXX/U11s2ZbX0DQ== -=PmUn +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1gACgkQ406fOAL/ +QQCWgQf/S0l3K+SUkm966JiboPdNMOYbW9M9Ef6GBom6qvuA6JXVGvnGOdjVdcad ++PkVEuwNiCVQV+2n7N0RPr0mWdYz1h23nYMRfa6yG+qFi8kkrBJVHaoDkSmsyXyy +KhGc/9HO/hzU2LyoopakP/qVPyQUf+VEZt6t3jYSYZk2xq1eSXYEpTtO9U6/tyir +dqlrIwrQNv1sX0t6j4Qg+FDZ/zbD9T6EKNU3DY21Yb4xwYZ0fIxEsruKH+MA9QC4 +F0L8RLsa930VNuTOGvBR2iTLfmoxIKeGmwDwakR3iT+xlsuDLpduZSX/fp9RcmWC +D1DExjAuJSXyvXkZjJ0gE2rGT7EHbA== +=NbvN -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-46585.md b/content/security/CVE-2026-46585.md index d230f47b..75206951 100644 --- a/content/security/CVE-2026-46585.md +++ b/content/security/CVE-2026-46585.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-46585 severity: MEDIUM -summary: "Apache Camel: Camel-Lucene: The query control headers used non-Camel-prefixed names (QUERY, RETURN_LUCENE_DOCS) that bypass the HTTP header filter, allowing an HTTP client to inject the full-text search query" +summary: "Camel-Lucene: The query control headers used non-Camel-prefixed names (QUERY, RETURN_LUCENE_DOCS) that bypass the HTTP header filter, allowing an HTTP client to inject the full-text search query" description: "The camel-lucene producer reads the search phrase from an Exchange header (LuceneConstants.HEADER_QUERY) whose value was the plain string QUERY (and RETURN_LUCENE_DOCS for HEADER_RETURN_LUCENE_DOCS). Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that exposes a Lucene query operation [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set the query via the raw header name must use CamelLuceneQuery (and CamelLuceneReturnLuceneDocs) instead of QUERY / RETURN_LUCENE_DOCS. For deployments that cannot upgrade immediately, strip [...] credit: "This issue was discovered by Andrea Cosentino from the Apache Software Foundation and Yu Bao from PayPal" diff --git a/content/security/CVE-2026-46585.txt.asc b/content/security/CVE-2026-46585.txt.asc index 66976542..780bbf1e 100644 --- a/content/security/CVE-2026-46585.txt.asc +++ b/content/security/CVE-2026-46585.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-46585 severity: MEDIUM -summary: "Apache Camel: Camel-Lucene: The query control headers used non-Camel-prefixed names (QUERY, RETURN_LUCENE_DOCS) that bypass the HTTP header filter, allowing an HTTP client to inject the full-text search query" +summary: "Camel-Lucene: The query control headers used non-Camel-prefixed names (QUERY, RETURN_LUCENE_DOCS) that bypass the HTTP header filter, allowing an HTTP client to inject the full-text search query" description: "The camel-lucene producer reads the search phrase from an Exchange header (LuceneConstants.HEADER_QUERY) whose value was the plain string QUERY (and RETURN_LUCENE_DOCS for HEADER_RETURN_LUCENE_DOCS). Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that exposes a Lucene query operation [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set the query via the raw header name must use CamelLuceneQuery (and CamelLuceneReturnLuceneDocs) instead of QUERY / RETURN_LUCENE_DOCS. For deployments that cannot upgrade immediately, strip [...] credit: "This issue was discovered by Andrea Cosentino from the Apache Software Foundation and Yu Bao from PayPal" @@ -20,12 +20,12 @@ fixed: 4.14.8, 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23509 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23208 (commit 878ea07996caff19ed227984bf6cb6cf01983422) and backported to camel-4.18.x (commit 16a70d48145605c1a35e909d308bf9e5e2d3e7d8) and camel-4.14.x (commit 349f197115d60e0c180cf9836e08f4aeb5a87872). The fix renames the camel-lucene Exchange header values to the Camel conven [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/ -QQC3GggAnZOT1B4CJk0IS6DqwsJKrl1PTGC6u84vl7R1x6P5Y/c6yurVduLBy4ov -HXeB1Abkr2NXJr24OTUT3jov5Mwju6wwzrzznukMpPW34rm+9UzyzxyuFRAU4Nw/ -0Ybxx43ixIy4+dOYxVZfIUEmUQ79Hyiy7WMsjFylUFAEeeJ3gEDPDXO21e/KJ2FM -C9ZY98n9PgLbNeKpYPMEghOf71JVhlWwJTGM57NdeX9bBYPjYJTX3CWuEvAb8AR9 -Q8oPy59r5oiw2WB7JEzvPCPMgnSF06QzqjDl5zkpeGzwK8bYmhlokascvKmxdffK -qXorC3BLZVsPyD1CCNGRtUwcbXImTQ== -=AxD0 +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1gACgkQ406fOAL/ +QQDWtwf/UgJ/ym2Wp0WlOMtCxKMg2p92cYK+Bj2Awk8LNNqn4qOoHFfoYklvWqL2 +NcL3YzMsxVk1pWlFSiUO8PkGdt9IAqQ0tXM/Ul6fpHS1ykv8k3gsccqfHMfsXKI7 +Uo98rA44sJPbVStBDyTzE+nycRLVnMoZ+u0oNbV9QmQeRHGk3AITGdAkbCxxAOJi ++Ojkmo3en1U32K9NXoikd9cus3uCtBUa6Km3Ub3SUt6ehS/+YsNluN/kzQL95NnC +eHD6wdQ8qw+usO3CDta3l2UiRWab1CjFAQyfhUr/QRuRizMs61/a1EiMiZ4WFNbn +YGECEi6Uplcah3pZc8sH74iRE7wR5g== +=rP0d -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-46590.md b/content/security/CVE-2026-46590.md index 9351633a..2d8f98ca 100644 --- a/content/security/CVE-2026-46590.md +++ b/content/security/CVE-2026-46590.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-46590 severity: MEDIUM -summary: "Apache Camel: Camel-PQC: The HashiCorp Vault and AWS Secrets Manager key-lifecycle managers deserialize persisted key metadata with java.io.ObjectInputStream and no ObjectInputFilter (incomplete remediation of CVE-2026-40048)" +summary: "Camel-PQC: The HashiCorp Vault and AWS Secrets Manager key-lifecycle managers deserialize persisted key metadata with java.io.ObjectInputStream and no ObjectInputFilter (incomplete remediation of CVE-2026-40048)" description: "The camel-pqc component persists post-quantum key metadata (KeyMetadata) through pluggable KeyLifecycleManager implementations. HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager read that metadata back from the configured secret backend by deserializing a Base64-wrapped value with a raw java.io.ObjectInputStream.readObject() and no ObjectInputFilter or class allow-list; the cast to KeyMetadata happens only after readObject() returns, so any readObje [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, restrict write access to the key backend so that only the application's own identity can write the camel-pqc secrets (least-privilege HashiCorp Vault policies and secretsmanager:PutSecretValue IAM), and keep the PQC key material in a backend separate from any d [...] credit: "This issue was discovered by Yu Bao from PayPal" diff --git a/content/security/CVE-2026-46590.txt.asc b/content/security/CVE-2026-46590.txt.asc index 6840499a..d55de300 100644 --- a/content/security/CVE-2026-46590.txt.asc +++ b/content/security/CVE-2026-46590.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-46590 severity: MEDIUM -summary: "Apache Camel: Camel-PQC: The HashiCorp Vault and AWS Secrets Manager key-lifecycle managers deserialize persisted key metadata with java.io.ObjectInputStream and no ObjectInputFilter (incomplete remediation of CVE-2026-40048)" +summary: "Camel-PQC: The HashiCorp Vault and AWS Secrets Manager key-lifecycle managers deserialize persisted key metadata with java.io.ObjectInputStream and no ObjectInputFilter (incomplete remediation of CVE-2026-40048)" description: "The camel-pqc component persists post-quantum key metadata (KeyMetadata) through pluggable KeyLifecycleManager implementations. HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager read that metadata back from the configured secret backend by deserializing a Base64-wrapped value with a raw java.io.ObjectInputStream.readObject() and no ObjectInputFilter or class allow-list; the cast to KeyMetadata happens only after readObject() returns, so any readObje [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, restrict write access to the key backend so that only the application's own identity can write the camel-pqc secrets (least-privilege HashiCorp Vault policies and secretsmanager:PutSecretValue IAM), and keep the PQC key material in a backend separate from any d [...] credit: "This issue was discovered by Yu Bao from PayPal" @@ -20,12 +20,12 @@ fixed: 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23726 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23912 (commit feea08e7847f35dc0e177652b0b02bd45f6c1b4f) and backported to camel-4.18.x in https://github.com/apache/camel/pull/23914 (commit 12a9ac3c94d6fda12d16b2c0039db41c6204727e). The fix introduces a shared KeyMetadataCodec that stores key metadata as JSON for all three KeyL [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/ -QQD+sAf+L/iA+rSluo6rIJ6RqqWIsOUDKQzDB6XIdWO9WZRoYEuKfZXrUF42pxJS -WtvDxUDmrf5yTl5T89cVhyE+3QnLV09qgC3A2W8YT5LBh8P7ishODUbaxgi7oY4T -CB9lXZ/dkMpn/D7uCSmbZW8r6WcNTczJwNd4j77d4yv3S8eEv0/xBkCqQon8xBo+ -q8a7E2fu1ghYP+P6ZayGU2Ir6eDfRjOx/eFMDpj7fIPGxa5CN3dA75n+yT2R5GCp -d0kuf0ET2cLA0XdA/iY1pIQFw+QflukJGK43z6zyOHR0YSXlBLeCqUo7HWQIxT89 -NfFGcwhw/urpfth1d50gh9MfIgdW+A== -=gCER +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1kACgkQ406fOAL/ +QQCGzwf9H0cbHjVgdI6XExFXDXAxBvT7iKHOHGjfBNNCDhG4DM6vYe8Hu2ehg1WQ +hkBEp0WbANHVRLjloHu3HBLuZ/77h53GV8+7pJ1bDza6o+Cfi4PYAz2WtrTEiguN +aBXqAG2YMtFROMEysnBQWh17BhSLC67z/bX3N8N5CBerA+e1ykuaYI+cntAyXx7h +aCFVKCJhveWvAt76NA4fHl8NMzdWlepEDPDqd7+m/WPfnYAt5YW6BWJ0/wsY9q+o +y1BDwCCVJp5sLV9Bl69S/9vYtFvJlP2sGzYdrPPnfP9YU6edGAWVoRiaDEjwsCoR +KMc2yK0utQvFTMeK0cjucJyyV90UaA== +=Yo3j -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-46591.md b/content/security/CVE-2026-46591.md index 3277c6cd..a22b9a32 100644 --- a/content/security/CVE-2026-46591.md +++ b/content/security/CVE-2026-46591.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-46591 severity: MEDIUM -summary: "Apache Camel: Camel-Neo4j: JSON property names from the CamelNeo4jMatchProperties header are interpolated into the Cypher WHERE clause without validation, allowing Cypher injection (incomplete remediation of CVE-2025-66169)" +summary: "Camel-Neo4j: JSON property names from the CamelNeo4jMatchProperties header are interpolated into the Cypher WHERE clause without validation, allowing Cypher injection (incomplete remediation of CVE-2025-66169)" description: "The camel-neo4j producer builds the Cypher WHERE clause for its match/retrieve and delete operations from the CamelNeo4jMatchProperties map. CVE-2025-66169 addressed Cypher injection through the property values by binding them as query parameters ($paramN), but the property names (the JSON keys of that map) were still concatenated into the query string verbatim in Neo4jProducer.retrieveNodes() and deleteNode(). A property name containing Cypher syntax therefore alters the s [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, do not populate the CamelNeo4jMatchProperties map from untrusted input: validate or allow-list the property names (for example against ^[A-Za-z_][A-Za-z0-9_]*$) before the [...] credit: "This issue was discovered by Yu Bao from PayPal" diff --git a/content/security/CVE-2026-46591.txt.asc b/content/security/CVE-2026-46591.txt.asc index 0b0985ac..958a0eec 100644 --- a/content/security/CVE-2026-46591.txt.asc +++ b/content/security/CVE-2026-46591.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-46591 severity: MEDIUM -summary: "Apache Camel: Camel-Neo4j: JSON property names from the CamelNeo4jMatchProperties header are interpolated into the Cypher WHERE clause without validation, allowing Cypher injection (incomplete remediation of CVE-2025-66169)" +summary: "Camel-Neo4j: JSON property names from the CamelNeo4jMatchProperties header are interpolated into the Cypher WHERE clause without validation, allowing Cypher injection (incomplete remediation of CVE-2025-66169)" description: "The camel-neo4j producer builds the Cypher WHERE clause for its match/retrieve and delete operations from the CamelNeo4jMatchProperties map. CVE-2025-66169 addressed Cypher injection through the property values by binding them as query parameters ($paramN), but the property names (the JSON keys of that map) were still concatenated into the query string verbatim in Neo4jProducer.retrieveNodes() and deleteNode(). A property name containing Cypher syntax therefore alters the s [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, do not populate the CamelNeo4jMatchProperties map from untrusted input: validate or allow-list the property names (for example against ^[A-Za-z_][A-Za-z0-9_]*$) before the [...] credit: "This issue was discovered by Yu Bao from PayPal" @@ -20,12 +20,12 @@ fixed: 4.14.8, 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23528 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23258 (commit bb4176fe87dc0cc60a5be37a57b69b8c610c1dd2) and backported to camel-4.18.x (commit 865d0b8b99f969e06ec6275b69c72670b5763245) and camel-4.14.x (commit 7881d949c40befcc602016dcce25a2fb38d070ce). The fix adds strict property-name validation (^[A-Za-z_][A-Za-z0-9_]*$) in [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/ -QQA5IAgAlty0klBH6og4me3Mmzm/JzMTg8H6KjJe+PDsCOVQF5FZvK+47l871njw -wdekJkAamL20tveC5QDVtg0C0dOmi0fto5DXjDeFmfQNBjS3KAEnWD7tOXdHcz9v -HKeORiobrI0AEkYRS8Ru6Yo61DNazuMuexS7ebks29Mzd3RWDscbH9ykA+2I3/tV -0zKdwH1xEWb00Bpu1cOyzZCFbd8lo+J2tEGtZo3wUwWKAJ7p8fRFSDLkpYjA2cux -Tq65mC3WLlf+NpiidVzWaprnFSUokMIMy13ZeP79pzTmAP9odFclSiqSEC2WlnRX -H5lOy2ezQeEBoh5bfJqO4hb8guwyJg== -=h8F6 +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1kACgkQ406fOAL/ +QQDkxggAoKtshAwICpr6J9dcH5t9wQpRNJQ3o46n0tQGHQjlv+xnd5NzWHqktW0r +MX675MKmN+Zkh5tuM/XDg9GBsi5lA/TphnjeoOS7CBwgmUqrUz3n+uXHIqjTjh4t +lKMVSnuVKZDvufM/Gy5wR/Xuit9eJVpP0fZwnhuYtc71QM0vNXk7PRGwM4NgodlR +q554/X5EBcZ0P1sPXw1sMDT5DOMEKKvn/A/u2ouGFPbmBpYxFRS1vjohnUXJ4nsB +9qntHrWbxfC+wmo2qosE8DmJWuaCe3+izEK/QoZVUiRt/FtHF8SArpZIhUqiWdvz +O7whnEuLgrPGCeS8tviFR+Ki2LxLQQ== +=OQ8h -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-46592.md b/content/security/CVE-2026-46592.md index 696a8996..9a00f8ff 100644 --- a/content/security/CVE-2026-46592.md +++ b/content/security/CVE-2026-46592.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-46592 severity: MEDIUM -summary: "Apache Camel: Camel-CXF: The SOAP operation-selection headers used non-Camel-prefixed names (operationName, operationNamespace) that bypass the HTTP header filter, allowing an HTTP client to redirect the invoked SOAP operation" +summary: "Camel-CXF: The SOAP operation-selection headers used non-Camel-prefixed names (operationName, operationNamespace) that bypass the HTTP header filter, allowing an HTTP client to redirect the invoked SOAP operation" description: "The camel-cxf producer selects which SOAP operation to invoke on the backend service from the operationName (and operationNamespace) Exchange header, whose constant values (CxfConstants.OPERATION_NAME / OPERATION_NAMESPACE) were the plain strings operationName / operationNamespace. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP r [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the operation-selection headers are named CamelCxfOperationName / CamelCxfOperationNamespace and are filtered at transport boundaries; see the 4.21 upgrade guide for the cross-transport carrier-header pa [...] credit: "This issue was discovered by Yu Bao from PayPal" diff --git a/content/security/CVE-2026-46592.txt.asc b/content/security/CVE-2026-46592.txt.asc index f601aed8..f690444a 100644 --- a/content/security/CVE-2026-46592.txt.asc +++ b/content/security/CVE-2026-46592.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-46592 severity: MEDIUM -summary: "Apache Camel: Camel-CXF: The SOAP operation-selection headers used non-Camel-prefixed names (operationName, operationNamespace) that bypass the HTTP header filter, allowing an HTTP client to redirect the invoked SOAP operation" +summary: "Camel-CXF: The SOAP operation-selection headers used non-Camel-prefixed names (operationName, operationNamespace) that bypass the HTTP header filter, allowing an HTTP client to redirect the invoked SOAP operation" description: "The camel-cxf producer selects which SOAP operation to invoke on the backend service from the operationName (and operationNamespace) Exchange header, whose constant values (CxfConstants.OPERATION_NAME / OPERATION_NAMESPACE) were the plain strings operationName / operationNamespace. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP r [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the operation-selection headers are named CamelCxfOperationName / CamelCxfOperationNamespace and are filtered at transport boundaries; see the 4.21 upgrade guide for the cross-transport carrier-header pa [...] credit: "This issue was discovered by Yu Bao from PayPal" @@ -20,12 +20,12 @@ fixed: 4.14.8, 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23526 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23326 (commit 7240570a05687792c95badfa8d11ed2644117230) and backported to camel-4.18.x (commit 36a5088b58be38317a8f974ffda2a262fa00b4e4) and camel-4.14.x (commit 0138da45fc9428172c1585ab4561d42e8868cf49). The fix renames the camel-cxf Exchange header values to the Camel conventio [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/ -QQD+rggArX4gV3sZdb1eyOc2dkYmA7GJV4JVa9MdjrFuZy+Tqt9T8eK8D2L5yxld -kJoajcdMeM/GFsS/BSr3QhoPTGlWd55ViBbW+9tbCFGvqwI1bHZYeQ/vK0sbq1ty -R20d7xr8cRMy5kKpCrPQEFkH5DsVcysuvmxV44gNzhNrqBEyGXPjHu8VEruu29ss -sPR5k8yGzmWO4icQ+wheOD/+LxCn8PBOrO/PD5CIYbitFpyg+t7Cz0dvzNXWojn1 -CRRD2L5ypit1ut6JEuneDzqJtuPEtPkXdFmSIZ4J/d5D/lpi8TsT+Jmc/SspiOqG -TuW6xgWg4Q3oUmOfH+2Og70fACYS9A== -=ZYJf +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1kACgkQ406fOAL/ +QQDVeQf9HTeVGmeqAnZnmzu2Jt8dm8lm7H6/m6Xec6PkbOKNY1bRh59wKTmwQF3D +sbESkwgToVtZFYDZl7cysPIMTw+/Puc/Sc2pBf5icJ2qHSXVTZdVuT1imw8Bno5j +GAcol+qDbvJDzNiQ5GfEHF6dH7Tj0UCmf0zXWYrUw/uKhbgrgx0xcMOzyuC1yLh6 +nd50VKmzViaSISMHRIw9jg4dFsowT5/vIZItzmgSWOWadHoXdmaeoHZjlEIJJKeb +X8A06fSRXwU9SBOVWBlsZ0h7MkPAntKQZ9wDw1z6P//0HNTQ4PfWz6Wy6rLUd0fB +jmYwTX1klY9VTerhcz/bfD4EzM2bVQ== +=vOww -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-46726.md b/content/security/CVE-2026-46726.md index 88a55b65..21092240 100644 --- a/content/security/CVE-2026-46726.md +++ b/content/security/CVE-2026-46726.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-46726 severity: HIGH -summary: "Apache Camel: Camel-Vertx-Websocket, Camel-Atmosphere-Websocket and Camel-Iggy: Inbound consumers map externally-supplied parameters into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secrets through the vertx-websocket consumer" +summary: "Camel-Vertx-Websocket, Camel-Atmosphere-Websocket and Camel-Iggy: Inbound consumers map externally-supplied parameters into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secrets through the vertx-websocket consumer" description: "The camel-vertx-websocket consumer mapped inbound WebSocket query and path parameters into the Camel Exchange header map without applying any HeaderFilterStrategy (VertxWebsocketConsumer.populateExchangeHeaders()). Because nothing blocked the Camel header namespace, a client connecting to the WebSocket endpoint could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as query parameters. In a route where the WebSocket [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes the affected consumers apply a HeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel* headers are no longer copied into th [...] credit: "This issue was discovered by Kamalpreet Singh" diff --git a/content/security/CVE-2026-46726.txt.asc b/content/security/CVE-2026-46726.txt.asc index b16ede30..a57d5078 100644 --- a/content/security/CVE-2026-46726.txt.asc +++ b/content/security/CVE-2026-46726.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-46726 severity: HIGH -summary: "Apache Camel: Camel-Vertx-Websocket, Camel-Atmosphere-Websocket and Camel-Iggy: Inbound consumers map externally-supplied parameters into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secrets through the vertx-websocket consumer" +summary: "Camel-Vertx-Websocket, Camel-Atmosphere-Websocket and Camel-Iggy: Inbound consumers map externally-supplied parameters into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secrets through the vertx-websocket consumer" description: "The camel-vertx-websocket consumer mapped inbound WebSocket query and path parameters into the Camel Exchange header map without applying any HeaderFilterStrategy (VertxWebsocketConsumer.populateExchangeHeaders()). Because nothing blocked the Camel header namespace, a client connecting to the WebSocket endpoint could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as query parameters. In a route where the WebSocket [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes the affected consumers apply a HeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel* headers are no longer copied into th [...] credit: "This issue was discovered by Kamalpreet Singh" @@ -20,12 +20,12 @@ fixed: 4.14.8, 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23285 (commit 1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x (commit 88c43e3af36013585b5483c671950f30e5833a5f) and camel-4.14.x (commit 508fc15deca97ba373eb3881a00e220eab9ec428). The fix adds a dedicated HeaderFilterStrategy to each affected consumer - a [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/ -QQAIJgf/WiofpIpYaklvH5pBAucVW+SVzBoQovo1I6NtZ4aZvAUQ1Tfjb1BNtSjZ -wbbIwJavaBRhc4an5oDWqL0Z6oBl8yRp1kx8HTx8AqtEbUPzxLEHh9kYEitsMxpG -Bl3+hMyROt7WEkpqsv83PuiYwknVl8il4KEvp1LkXZcWmKrkGucOlQwt8C1NAWT6 -ZTU68ahWtAfKuVLrpevrFhQ9hr+QWX7KHd7YfFXj7Sx35opvrtDnn7yTUDuUzJGG -Z3pxd6ceYAEeUgkXhtjGr/qjyj1qkaEaC9eOpsTFg3Bfbxa5RH86tfpJv9Uw0yj9 -sWvI9yHjXVkiqsegQWgUVxXf/ya7lg== -=q1do +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1kACgkQ406fOAL/ +QQAAogf+Ja+WDUdgK2lM9BATzOZedlWea2hr+L1xWoXLHwBbLU/0HAr9YgRAEk0D +4TFvTF0W6HxR7nXsCMZZTJOGtQcCfxzJtQlLRJJjotn3njVWqaCuLL+GvRDi5156 +VJnK7GcEqJeGttF9kLZSVlsqxBOqEBgnSUQtfvMQqqEt4Pc4SYYJWohaL934zCVa +i8CV+v2h4ozR11voFi88H+Exsg8ebk81IGwWOJAmEQAUOgU1WeOvvfdL5k4nRE+a +SAmEUphHkxzqFNx+z2WPsC3q1CDZl7CaxoB3skihL/ePw2K7pFC0SVs8CaaTQvKE +DM8A0nejClYGPBlG36wkI8Lk/SmXTQ== +=W9wM -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-48203.md b/content/security/CVE-2026-48203.md index 415a9bb7..5306b9fd 100644 --- a/content/security/CVE-2026-48203.md +++ b/content/security/CVE-2026-48203.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-48203 severity: MEDIUM -summary: "Apache Camel: Camel-Solr: The SolrParam. and SolrField. Exchange header prefixes used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to inject Solr query parameters (server-side request forgery) and document fields" +summary: "Camel-Solr: The SolrParam. and SolrField. Exchange header prefixes used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to inject Solr query parameters (server-side request forgery) and document fields" description: "The camel-solr producer copies Exchange message headers whose names begin with the SolrParam. prefix into the parameters of the Solr request, and headers whose names begin with the SolrField. prefix into the fields of the indexed Solr document. The prefix constants (SolrConstants.HEADER_PARAM_PREFIX / HEADER_FIELD_PREFIX) were the plain strings SolrParam. / SolrField.. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks on [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set Solr parameters or fields via the raw header prefixes must use CamelSolrParam. / CamelSolrField. instead of SolrParam. / SolrField.. For deployments that cannot upgrade immediately, strip [...] credit: "This issue was discovered by Yu Bao from PayPal" diff --git a/content/security/CVE-2026-48203.txt.asc b/content/security/CVE-2026-48203.txt.asc index 1099e549..43d84204 100644 --- a/content/security/CVE-2026-48203.txt.asc +++ b/content/security/CVE-2026-48203.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-48203 severity: MEDIUM -summary: "Apache Camel: Camel-Solr: The SolrParam. and SolrField. Exchange header prefixes used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to inject Solr query parameters (server-side request forgery) and document fields" +summary: "Camel-Solr: The SolrParam. and SolrField. Exchange header prefixes used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to inject Solr query parameters (server-side request forgery) and document fields" description: "The camel-solr producer copies Exchange message headers whose names begin with the SolrParam. prefix into the parameters of the Solr request, and headers whose names begin with the SolrField. prefix into the fields of the indexed Solr document. The prefix constants (SolrConstants.HEADER_PARAM_PREFIX / HEADER_FIELD_PREFIX) were the plain strings SolrParam. / SolrField.. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks on [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set Solr parameters or fields via the raw header prefixes must use CamelSolrParam. / CamelSolrField. instead of SolrParam. / SolrField.. For deployments that cannot upgrade immediately, strip [...] credit: "This issue was discovered by Yu Bao from PayPal" @@ -20,12 +20,12 @@ fixed: 4.14.8, 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23597 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23410 (commit 4578a9014a6b7a914cf16baf2c5bf62a7b163a88) and backported to camel-4.18.x (commit cfc0d51f015b3112eae4ce0968d045f00e95c796) and camel-4.14.x (commit f79cbe3f8bc3fe1095d8492e9ef321289451d457). The fix renames the two camel-solr Exchange header prefix values to the Cam [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/ -QQCazgf+M4mOhmr6oW5gC6pbgloAhqg+8ICxBb7Ty2GRAfAhM3/5dRR2wn01YHM9 -B3KThK+a/y3PlvBXc5ACvEflBp2DMv4mTGC+f2Cvg151HLxqQp4UJVpTIjwylv+F -L5VMvazBnVk71Ddhz+wntdm5a+jJgMOORJH5VWibkqK/cpdQMOmI5rnpYjMnBh4/ -5d+UPjEIzEd99+9oFpkTnKaT6nVEJ0VdbrB8U5PzEFgyqI2bzf0GbVVDk/JXlmSW -nXBckMD0sBUU1aOAaE2fSjTt8+aNbQA1adH39pXGr5Y3hjfFd3udoYgSCU8mKcJE -fIfGInY4v8QB1zezi3gS68c6blPCYg== -=rbyf +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1kACgkQ406fOAL/ +QQCbqgf+PlmKuvqCHU81LtrJA+l5ZYlfzl5vcVv6YbQHlyxrTb64FTUp0XIGF6hj +v3zgdfe08Ois0Tm0skKPke1vYiIdmNNQqEz3kiir8x16F+rylML9tUwhBSIILMp2 +N47Qh9+lfimbP4bOjlYm9+Pbfbizfb2eMTtfcOBhKEym+TVDAsL9CchX8unbhnhg +yO+yMvww4zyxuvTZh+IhTCZnzQGDDfHZzeTrarxd4PDTBixRKCa1D23brtm0apt5 +kvm3P9uc02aUROhZqr4S7qV7idLtVEzPYu8YpF/PUP63idtiPlYVfye+lGy2UnEJ +IhuXrOZXqs9lqZx2ScvtOSCMiMnKng== +=1602 -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-48204.md b/content/security/CVE-2026-48204.md index 28220e1d..23821275 100644 --- a/content/security/CVE-2026-48204.md +++ b/content/security/CVE-2026-48204.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-48204 severity: MEDIUM -summary: "Apache Camel: Camel-MongoDB-GridFS: The gridfs.* control headers used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to switch the GridFS operation - including destructive file deletion - in the default configuration" +summary: "Camel-MongoDB-GridFS: The gridfs.* control headers used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to switch the GridFS operation - including destructive file deletion - in the default configuration" description: "The camel-mongodb-gridfs producer selects the GridFS operation to perform from the gridfs.operation Exchange header when the endpoint's operation parameter is not set - which is the default. The control-header constants (GridFsConstants.GRIDFS_OPERATION, GRIDFS_OBJECT_ID, GRIDFS_METADATA, GRIDFS_CHUNKSIZE, GRIDFS_FILE_ID_PRODUCED) were the plain strings gridfs.operation, gridfs.objectid, gridfs.metadata, gridfs.chunksize and gridfs.fileid. Because these names do not start w [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive GridFS operations or metadata via the raw header names must use CamelGridFsOperation / CamelGridFsObjectId / CamelGridFsMetadata / CamelGridFsChunkSize / CamelGridFsFileId instead of th [...] credit: "This issue was discovered by Yu Bao from PayPal" diff --git a/content/security/CVE-2026-48204.txt.asc b/content/security/CVE-2026-48204.txt.asc index 53e21a78..1333416a 100644 --- a/content/security/CVE-2026-48204.txt.asc +++ b/content/security/CVE-2026-48204.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-48204 severity: MEDIUM -summary: "Apache Camel: Camel-MongoDB-GridFS: The gridfs.* control headers used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to switch the GridFS operation - including destructive file deletion - in the default configuration" +summary: "Camel-MongoDB-GridFS: The gridfs.* control headers used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to switch the GridFS operation - including destructive file deletion - in the default configuration" description: "The camel-mongodb-gridfs producer selects the GridFS operation to perform from the gridfs.operation Exchange header when the endpoint's operation parameter is not set - which is the default. The control-header constants (GridFsConstants.GRIDFS_OPERATION, GRIDFS_OBJECT_ID, GRIDFS_METADATA, GRIDFS_CHUNKSIZE, GRIDFS_FILE_ID_PRODUCED) were the plain strings gridfs.operation, gridfs.objectid, gridfs.metadata, gridfs.chunksize and gridfs.fileid. Because these names do not start w [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive GridFS operations or metadata via the raw header names must use CamelGridFsOperation / CamelGridFsObjectId / CamelGridFsMetadata / CamelGridFsChunkSize / CamelGridFsFileId instead of th [...] credit: "This issue was discovered by Yu Bao from PayPal" @@ -20,12 +20,12 @@ fixed: 4.14.8, 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23575 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23413 (commit 8f0b1acfb89867bc28805d8281fa5c70192e2122) and backported to camel-4.18.x (commit 054d0c1e6c63f06b1a890c93f24115ee9bd110a8) and camel-4.14.x (commit 9915ad461dad8f5073782f643557bf1e7ae3bc31). The fix renames the camel-mongodb-gridfs Exchange header values to the Came [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/ -QQBy7Qf+PZtbscveQfEM3SNE/x9DisDgrtMZUOdd4X3RwopRdO9zLp5lDn1o+84U -TiqqxK4j5+3UNtCoZYYB1tSyb/yPSngOfERj6Cd+CVkuu7YY+E9UJmEdrxSrdvk6 -Asn2pV6IlODFQsPAIlcPzQCOaus4p73HFyIMA9KgvTfg5zPwrbtwKz8rxQsxxNFR -/sqGtGMvoUBjHEyfk4HGChiFbNIC1E+Uq00kol6ryUpdSm9bMFjzgi4xJjwR/EZN -Llfm5RuB8dJtqfcT977kKNjfqfLsp9PkCcSoO3GtfNxOkSmSPB/VnBjW9SO4MOse -jXZppx5SOS/A8U9b4Oj3gDLURQ9ixQ== -=OkJF +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1kACgkQ406fOAL/ +QQAEuQf+J/kkzHk00iOG2uiUCyMcBfjdskhURzAury3AysnAwvSYK6VPVCXx7srU +kVZUtU4Fknx1lcuG2GoKMpC4fXUWkbIH9DXcPw0K86LqZTCoym2YBHetNOFILwBS +6Ojf++pGAUENJx/Ue/4UA+acP9OcMqPoaJkh2vfm7TWVw3dy+lLd6VpU0+u5rkwj +/G/WBkWYQavRQSyxLNdmVdq/NS1HFkI2I70DdzHv1+98RiypJkjjm3aMj2aVaYGg +OJt3MnDgKcoAaxDb+BFYj8QnFtbaqjK2Cov3ZQetVJ/v5OYMCYuEju+EGiQjzrOj +lI7LmauH0dY/KPYpR/p5TbfFhGKHAQ== +=S1b8 -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-48205.md b/content/security/CVE-2026-48205.md index 7015ddb9..0c42f054 100644 --- a/content/security/CVE-2026-48205.md +++ b/content/security/CVE-2026-48205.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-48205 severity: MEDIUM -summary: "Apache Camel: Camel-DNS: The dns.* and term Exchange header constants used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to redirect DNS queries to an attacker-controlled server (server-side request forgery) and enumerate internal hostnames" +summary: "Camel-DNS: The dns.* and term Exchange header constants used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to redirect DNS queries to an attacker-controlled server (server-side request forgery) and enumerate internal hostnames" description: "The camel-dns producers read DNS operation parameters - the resolver to query, the name or domain to look up, the record type and class, and the search term - from Exchange message headers whose constant values (DnsConstants.DNS_SERVER, DNS_NAME, DNS_DOMAIN, DNS_TYPE, DNS_CLASS, TERM) were the plain strings dns.server, dns.name, dns.domain, dns.type, dns.class and term. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks o [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive DNS operations via the raw header names must use CamelDnsServer / CamelDnsName / CamelDnsDomain / CamelDnsType / CamelDnsClass / CamelDnsTerm instead of the dns.* / term names. For depl [...] credit: "This issue was discovered by Yu Bao from PayPal" diff --git a/content/security/CVE-2026-48205.txt.asc b/content/security/CVE-2026-48205.txt.asc index 575069e2..60a7fab2 100644 --- a/content/security/CVE-2026-48205.txt.asc +++ b/content/security/CVE-2026-48205.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-48205 severity: MEDIUM -summary: "Apache Camel: Camel-DNS: The dns.* and term Exchange header constants used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to redirect DNS queries to an attacker-controlled server (server-side request forgery) and enumerate internal hostnames" +summary: "Camel-DNS: The dns.* and term Exchange header constants used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to redirect DNS queries to an attacker-controlled server (server-side request forgery) and enumerate internal hostnames" description: "The camel-dns producers read DNS operation parameters - the resolver to query, the name or domain to look up, the record type and class, and the search term - from Exchange message headers whose constant values (DnsConstants.DNS_SERVER, DNS_NAME, DNS_DOMAIN, DNS_TYPE, DNS_CLASS, TERM) were the plain strings dns.server, dns.name, dns.domain, dns.type, dns.class and term. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks o [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive DNS operations via the raw header names must use CamelDnsServer / CamelDnsName / CamelDnsDomain / CamelDnsType / CamelDnsClass / CamelDnsTerm instead of the dns.* / term names. For depl [...] credit: "This issue was discovered by Yu Bao from PayPal" @@ -20,12 +20,12 @@ fixed: 4.14.8, 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23574 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23411 (commit bdd40cf23f2b22cd293ddad319069a7b3b3c6c70) and backported to camel-4.18.x (commit 29b18beaf1fb07276de909b8e19cd87f01e8abd9) and camel-4.14.x (commit a6d8a44684c0116531e70ad8eb8bb37bd5601e98). The fix renames the camel-dns Exchange header values to the Camel conventio [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/ -QQCD9gf+J/fqPgskztbdjzddPWby3VCX5r+vOKXjh48+ptMUFk3+0XUd2jFyAfn6 -ddH/FZa/72L5j01cqps53IL4s8v6bOySG6FIQXO36W/HOe5ASkSR4ldsGC4NAMyH -keX3tLpeq0zHaBHPkCAWduD2ztfbYoYdaZPZy2baY+T7f8mF3UNd8KKEeK5+0w8W -ZV5vHxMo+zQNL3dSmfx0fPB7Xf1rk40o+V1BAe3EbiY3uCrA92hX0Nd5emreK20o -GLcDioVMIjRRP77IDs7err9WPkFbMnz2mCSeIgTy6eemw0I0VM+E6vQt4BfgkrqT -gfybnZ9zf1im0CjoXGwhA/YZsi4igw== -=XlBd +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1kACgkQ406fOAL/ +QQAI+wf8CUBqI73Z4Q/95BdsZVo5jqZiHEQXsMraGXC2VXv0caOBWZ415lEBUXj3 +tk7zpTwyW/YhybtwkXrCZOc1alJfY6DI2cJCjUW9EXf7UvG32zipgtMdLizVo+i4 +kXfcqrXC6t5dc/xqD9ydSli0Tvqwv9F8wzJxRZGRoGZuq3ehdY6MT2brjYS11Z48 +8KlNFmk0kKh5cnHw2vJRn/GM1B0BPRhmjaUfqRS/6GxohdCO7vP7Szi1CmooI5RD +c1mfBTZquYCpQxreI3TTVu1mR2p0cLz/iSTxGLhSgm+hs4PCGPMpFATzAyDfR40H +yj5gkGpg1yTNHa9G8MriiW6HFartVQ== +=JCqR -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-48206.md b/content/security/CVE-2026-48206.md index b210eb90..81529817 100644 --- a/content/security/CVE-2026-48206.md +++ b/content/security/CVE-2026-48206.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-48206 severity: MEDIUM -summary: "Apache Camel: Camel-JIRA: A set of non-Camel-prefixed Exchange header constants (IssueKey, ProjectKey, IssueTransitionId, ...) bypass the HTTP header filter, allowing an HTTP client to drive arbitrary JIRA issue operations using the endpoint's configured credentials" +summary: "Camel-JIRA: A set of non-Camel-prefixed Exchange header constants (IssueKey, ProjectKey, IssueTransitionId, ...) bypass the HTTP header filter, allowing an HTTP client to drive arbitrary JIRA issue operations using the endpoint's configured credentials" description: "The camel-jira producers read their operation parameters - the issue key, project key, transition id, summary, type, assignee, components, watchers, link type, work-log minutes and others - from Exchange message headers. The header constants defined in JiraConstants (for example ISSUE_KEY = IssueKey, ISSUE_PROJECT_KEY = ProjectKey, ISSUE_TRANSITION_ID = IssueTransitionId, LINK_TYPE = linkType) used plain, non-Camel-prefixed values. Because these names do not start with the [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive JIRA operations via the raw header names must use the CamelJira* names (for example CamelJiraIssueKey) instead of the old values. For deployments that cannot upgrade immediately, strip [...] credit: "This issue was discovered by Yu Bao from PayPal" diff --git a/content/security/CVE-2026-48206.txt.asc b/content/security/CVE-2026-48206.txt.asc index b2989423..9165462e 100644 --- a/content/security/CVE-2026-48206.txt.asc +++ b/content/security/CVE-2026-48206.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-48206 severity: MEDIUM -summary: "Apache Camel: Camel-JIRA: A set of non-Camel-prefixed Exchange header constants (IssueKey, ProjectKey, IssueTransitionId, ...) bypass the HTTP header filter, allowing an HTTP client to drive arbitrary JIRA issue operations using the endpoint's configured credentials" +summary: "Camel-JIRA: A set of non-Camel-prefixed Exchange header constants (IssueKey, ProjectKey, IssueTransitionId, ...) bypass the HTTP header filter, allowing an HTTP client to drive arbitrary JIRA issue operations using the endpoint's configured credentials" description: "The camel-jira producers read their operation parameters - the issue key, project key, transition id, summary, type, assignee, components, watchers, link type, work-log minutes and others - from Exchange message headers. The header constants defined in JiraConstants (for example ISSUE_KEY = IssueKey, ISSUE_PROJECT_KEY = ProjectKey, ISSUE_TRANSITION_ID = IssueTransitionId, LINK_TYPE = linkType) used plain, non-Camel-prefixed values. Because these names do not start with the [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive JIRA operations via the raw header names must use the CamelJira* names (for example CamelJiraIssueKey) instead of the old values. For deployments that cannot upgrade immediately, strip [...] credit: "This issue was discovered by Yu Bao from PayPal" @@ -20,12 +20,12 @@ fixed: 4.14.8, 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23576 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23417 (commit 3240a174a3707ba2b1d893c4ac0880829e0c9233) and backported to camel-4.18.x (commit 024704f95f16d1260304054088fa0b34acb57ebf) and camel-4.14.x (commit 6863ea624605ab3fa8827c43a4c5df333f767dc4). The fix renames the camel-jira Exchange header constant values to the Camel [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/ -QQAAuggArugs/6V+nI9LE0vFZajL+mLLpH+6xzPTWwVMGLBEiehpTn7DPGbMfLrq -5s2MZHhnr3Mk5EC2ZZtCBKUlbiECLiSR2v0hLFt58FJMjGY6oubYOYOyFhroZvjP -pq20roznx2oFcOWm9XEK9DN1CynNgpteWi0KKDUYQdK6pfSSvGgAKNl+he7RFgz9 -SuDXEGvNKx0PtUZms4sEWPPYhH2wykSqLvVpDVB95o1LeVc13ngp0kODKIcz9tpD -gpUR2v6mu80qLd3ZpmYL/zEjIhMB7Ewxq/1Rq/on1LdcCibrPMYreI3r9uVmUorZ -EUPO+IHUdPUPK0Ufy84VtaQt2oQd/A== -=WyJi +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1kACgkQ406fOAL/ +QQAAWggArGiFTZLearV5i6RKE0SJQWxVMiBrdMXg5PSpmrilDj3gNcHAhwOesjn3 +aqBde/Q2P9X+VnJF7h9x+nRvY8d6uXp9iIdM3OqMmFPi9vAu61QY3aFGIGE0/DIx +VhFQyb1HhWQXJ/G6imPXBZVjidn16W+53NTiaq5aYLLxxTFsYLI0EtLTsfzteIQV +m59PRaQXoS0jq+v5TbUBigYkyAYZpC1DbzJnImmeNVelFijU2/BN5vl4B/X07mXD +0skuClM3r8VFe4MNGJ83PpsDptuFFnGkmGgtd1V/xNbtbvTu1e8rwJyZEqkSDIO/ +zbSCRyClKwWOXKPEdXrMtfBVkBQpjg== +=H+Le -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-49086.md b/content/security/CVE-2026-49086.md index 35a312ba..6b116a35 100644 --- a/content/security/CVE-2026-49086.md +++ b/content/security/CVE-2026-49086.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-49086 severity: MEDIUM -summary: "Apache Camel: Camel-Dapr: The Dapr Pub/Sub consumer copied the inbound CloudEvent's pub/sub-name and topic into producer-direction routing headers, allowing an actor who can publish to the subscribed topic to redirect the re-published message to an arbitrary Dapr Pub/Sub component and topic" +summary: "Camel-Dapr: The Dapr Pub/Sub consumer copied the inbound CloudEvent's pub/sub-name and topic into producer-direction routing headers, allowing an actor who can publish to the subscribed topic to redirect the re-published message to an arbitrary Dapr Pub/Sub component and topic" description: "The camel-dapr Dapr Pub/Sub consumer (DaprPubSubConsumer) copied two fields from each inbound CloudEvent - its Pub/Sub component name and its topic - into the CamelDaprPubSubName and CamelDaprTopic Exchange headers. These two headers are producer-direction routing headers: when the route republishes through a Dapr producer, DaprConfigurationOptionsProxy reads them back and prefers them over the destination configured on the endpoint. As a result, in a route that consumes fr [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, remove the CamelDaprPubSubName and CamelDaprTopic headers from the Exchange between the Dapr consumer and any Dapr producer in the route (for example removeHeaders('CamelD [...] credit: "This issue was discovered by Leon Zlobecki" diff --git a/content/security/CVE-2026-49086.txt.asc b/content/security/CVE-2026-49086.txt.asc index 41fc06d8..1a5b0a8c 100644 --- a/content/security/CVE-2026-49086.txt.asc +++ b/content/security/CVE-2026-49086.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-49086 severity: MEDIUM -summary: "Apache Camel: Camel-Dapr: The Dapr Pub/Sub consumer copied the inbound CloudEvent's pub/sub-name and topic into producer-direction routing headers, allowing an actor who can publish to the subscribed topic to redirect the re-published message to an arbitrary Dapr Pub/Sub component and topic" +summary: "Camel-Dapr: The Dapr Pub/Sub consumer copied the inbound CloudEvent's pub/sub-name and topic into producer-direction routing headers, allowing an actor who can publish to the subscribed topic to redirect the re-published message to an arbitrary Dapr Pub/Sub component and topic" description: "The camel-dapr Dapr Pub/Sub consumer (DaprPubSubConsumer) copied two fields from each inbound CloudEvent - its Pub/Sub component name and its topic - into the CamelDaprPubSubName and CamelDaprTopic Exchange headers. These two headers are producer-direction routing headers: when the route republishes through a Dapr producer, DaprConfigurationOptionsProxy reads them back and prefers them over the destination configured on the endpoint. As a result, in a route that consumes fr [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, remove the CamelDaprPubSubName and CamelDaprTopic headers from the Exchange between the Dapr consumer and any Dapr producer in the route (for example removeHeaders('CamelD [...] credit: "This issue was discovered by Leon Zlobecki" @@ -20,12 +20,12 @@ fixed: 4.14.8, 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23630 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23886 (commit 72d13bd13fb5960ea1b367a2e379f017c1720c5c) and backported to camel-4.18.x (commit 86276a2ccc2cf8b09d7efeb38d9770845c4e1bea) and camel-4.14.x (commit c6fc9bb21670e5c65ea14df0f3f29baef78c2028). The fix stops DaprPubSubConsumer from setting the CamelDaprPubSubName and C [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/ -QQDcOQf/XURbbo0M6RbY17t6YywJtv+bXQD/yvqYqo15SsvAGq03oheNuPGopZiP -EEQn5LXXvilZcBaCMUdgZY009ccrcI0viGyRpyF+B4xOXBCJPkwIjR6vLeCnc0Ju -Ad8sg3kuIWd7eEntsTKiYEf6HaRh6YufJtawGgrWlYW7I/zXXJCy1YQ29eEszrZu -OIO31coxoGXhZooYZ22QDVhb+lCx2xsyozk3v2vuHp1SOQ8TI9rE6oIll8SSDCx1 -3FCTdjFOAnQ2PqUZvhjbSkcrQXvzLDgGb9Lwe8rJlkuCmYUfwyQ9JZ8SBHmBTNb0 -JvT2NnhC3JN2RrMIhR3rxW2IO8Fu+w== -=ANY3 +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1kACgkQ406fOAL/ +QQDlUAgAmXAvFi+Os5eLROQrocUtndaF+tWK6+eNVpQAeaFvJMzD+BUeM4Iq1Yjx +2Qq4aUTO1eFlUUZ9PQoFU62tvNx97N87Vzs5TY9i9p2nSc5hY/wX5nJkAe7ioCRZ +UI9YbDEYIkvCVZWVslNZYN3zFPPyYPW5MQtEsKT9MS6uBVN029GMoRS+V+07VoSO +QqmkCxhtqODv5HtdJHN/+MG9B8JHfnvoyP4o39ed5Bynw2kb96+CDIxY93qXjoyh +9xv6xZJpQA/UkWUCvbkSoKqHCu6+SZ4mCpIbWBNMmXQcRvYanSedVE1ncxTQ9PKZ +Slw6M3B77c2UsKGrvsM2IqBxxK94OQ== +=FNf/ -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-49097.md b/content/security/CVE-2026-49097.md index c8acc06a..02ed7682 100644 --- a/content/security/CVE-2026-49097.md +++ b/content/security/CVE-2026-49097.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-49097 severity: MEDIUM -summary: "Apache Camel: Camel-IRC: The irc.sendTo (and other irc.*) Exchange header constants used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to redirect outgoing IRC messages to arbitrary channels or users" +summary: "Camel-IRC: The irc.sendTo (and other irc.*) Exchange header constants used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to redirect outgoing IRC messages to arbitrary channels or users" description: "The camel-irc producer chooses the destination of an outgoing IRC message from the irc.sendTo Exchange header (the constant IrcConstants.IRC_SEND_TO, value irc.sendTo); when that header is present it overrides the channel list configured on the endpoint, and the message is sent only to the specified destination. This and the component's other control headers (irc.target, irc.messageType, irc.user.*, irc.num, irc.value) used plain, non-Camel-prefixed values. Because these na [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set IRC headers via the raw header names must use the CamelIrc* names (for example CamelIrcSendTo) instead of the old irc.* values. For deployments that cannot upgrade immediately, strip the [...] credit: "This issue was discovered by Yu Bao from PayPal" diff --git a/content/security/CVE-2026-49097.txt.asc b/content/security/CVE-2026-49097.txt.asc index 903eb459..e1432c58 100644 --- a/content/security/CVE-2026-49097.txt.asc +++ b/content/security/CVE-2026-49097.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-49097 severity: MEDIUM -summary: "Apache Camel: Camel-IRC: The irc.sendTo (and other irc.*) Exchange header constants used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to redirect outgoing IRC messages to arbitrary channels or users" +summary: "Camel-IRC: The irc.sendTo (and other irc.*) Exchange header constants used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to redirect outgoing IRC messages to arbitrary channels or users" description: "The camel-irc producer chooses the destination of an outgoing IRC message from the irc.sendTo Exchange header (the constant IrcConstants.IRC_SEND_TO, value irc.sendTo); when that header is present it overrides the channel list configured on the endpoint, and the message is sent only to the specified destination. This and the component's other control headers (irc.target, irc.messageType, irc.user.*, irc.num, irc.value) used plain, non-Camel-prefixed values. Because these na [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set IRC headers via the raw header names must use the CamelIrc* names (for example CamelIrcSendTo) instead of the old irc.* values. For deployments that cannot upgrade immediately, strip the [...] credit: "This issue was discovered by Yu Bao from PayPal" @@ -20,12 +20,12 @@ fixed: 4.14.8, 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23629 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23594 (commit 0be886bf433c718abe4a27498245f6898366fb0c) and backported to camel-4.18.x (commit 2959633a6dd51a9736a9efaedaa843548fcd2d3e) and camel-4.14.x (commit 18b64b47fda68b15f4eb9f7ce8148c8b9ec819a0). The fix renames the 10 camel-irc Exchange header constant values to the Cam [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0oACgkQ406fOAL/ -QQDuCQf9Gj5KnDvf5fPPTMs3R6HNEAFL8BHoObf2A4GJ8T1NxeHTXq6TFWZoUUGP -kzdThKfMaqAeXzZ48yWLNSPkD+NXs3iyPhBuz3UNX2vva+cZpMkxSQd7rcaUI/+p -5yhIhiB9E23dXolg/StV2qv9JyTj1onQQSu2yQA/RRUiYMPALav0wEkJBbBdpEHJ -0+HqarYFHRUXBXixrX2dboCokhe6OTp5AWKwk69LZlM8GgvYSaBEJsWvPWsqODLv -4iM3hNKPbxIIZ0wFbe3y4VG6E9pF0xebQMR0XEpphJosnls1n5129bSiMLvYMZfm -ZwY4huCmw7KVWDv7nExj2KBzRjRcXA== -=I/Ri +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1kACgkQ406fOAL/ +QQDiWAf9EQhsxuSIT4gEfzbuBc+D/lcuVD65A4cB4TTRdvWAndeM6gPX3w8V9nHh +GVzdw57QmLo5DjbyMoEOLfrPSyy2CAPXSXgf1aINxWBYjSg+rdbK21kf0FvwQmLt +9FAngH8+7cp2Ga1HhW5GmJjb0pty3rwcT8Suz+N7TdYjyR+1aIBpn9F8KyWL9MtG +y7FVEa7ar/yw8Z32Viq9x3ceDxS4qQtfTahdr3+sm+RPazXnc0h3IzFqhI/J8Tfu +6GnKxKiILrtXSdJz+SE8WwyDFLpclrToykwgNJELB1hSlNu/TGPRx9J58oJ3dADj +OFvbTmSn4egIX+h/ph0R6790ef/Iqw== +=hD2S -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-49098.md b/content/security/CVE-2026-49098.md index 5dea81c4..12f04ae0 100644 --- a/content/security/CVE-2026-49098.md +++ b/content/security/CVE-2026-49098.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-49098 severity: MEDIUM -summary: "Apache Camel: Camel-Kafka: The kafka.OVERRIDE_TOPIC (and other kafka.*) Exchange header constants used non-Camel-prefixed names that bypass the upstream HTTP header filter, allowing an HTTP client to redirect Kafka messages to an arbitrary topic" +summary: "Camel-Kafka: The kafka.OVERRIDE_TOPIC (and other kafka.*) Exchange header constants used non-Camel-prefixed names that bypass the upstream HTTP header filter, allowing an HTTP client to redirect Kafka messages to an arbitrary topic" description: "The camel-kafka producer can override its configured target topic at runtime from the kafka.OVERRIDE_TOPIC Exchange header: KafkaProducer.evaluateTopic() returns the header value in preference to the topic configured on the endpoint. The control-header constants in KafkaConstants (for example OVERRIDE_TOPIC = kafka.OVERRIDE_TOPIC, OVERRIDE_TIMESTAMP = kafka.OVERRIDE_TIMESTAMP, PARTITION_KEY = kafka.PARTITION_KEY) used plain, non-Camel-prefixed values. camel-kafka's own Kafk [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set or read Kafka headers via the raw header names must use the CamelKafka* names (for example CamelKafkaOverrideTopic and CamelKafkaTopic) instead of the old kafka.* values. For deployments [...] credit: "This issue was discovered by Yu Bao from PayPal" diff --git a/content/security/CVE-2026-49098.txt.asc b/content/security/CVE-2026-49098.txt.asc index f2ab508b..24324731 100644 --- a/content/security/CVE-2026-49098.txt.asc +++ b/content/security/CVE-2026-49098.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-49098 severity: MEDIUM -summary: "Apache Camel: Camel-Kafka: The kafka.OVERRIDE_TOPIC (and other kafka.*) Exchange header constants used non-Camel-prefixed names that bypass the upstream HTTP header filter, allowing an HTTP client to redirect Kafka messages to an arbitrary topic" +summary: "Camel-Kafka: The kafka.OVERRIDE_TOPIC (and other kafka.*) Exchange header constants used non-Camel-prefixed names that bypass the upstream HTTP header filter, allowing an HTTP client to redirect Kafka messages to an arbitrary topic" description: "The camel-kafka producer can override its configured target topic at runtime from the kafka.OVERRIDE_TOPIC Exchange header: KafkaProducer.evaluateTopic() returns the header value in preference to the topic configured on the endpoint. The control-header constants in KafkaConstants (for example OVERRIDE_TOPIC = kafka.OVERRIDE_TOPIC, OVERRIDE_TIMESTAMP = kafka.OVERRIDE_TIMESTAMP, PARTITION_KEY = kafka.PARTITION_KEY) used plain, non-Camel-prefixed values. camel-kafka's own Kafk [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set or read Kafka headers via the raw header names must use the CamelKafka* names (for example CamelKafkaOverrideTopic and CamelKafkaTopic) instead of the old kafka.* values. For deployments [...] credit: "This issue was discovered by Yu Bao from PayPal" @@ -20,12 +20,12 @@ fixed: 4.14.8, 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23584 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23602 (commit f8914a219ad473811c01562b5b85e83ba583b583) and backported to camel-4.18.x (commit d4c6fd85358b65d99dfe26722278eaf35fd0029c) and camel-4.14.x (commit 93cd4c4e1d1619d71aa9b56c3850d4d6ccd74375). The fix renames the 12 camel-kafka Exchange header constant values to the C [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0oACgkQ406fOAL/ -QQAt3wgAiRhZNMcqGhsNaH9HVoItAlLFICq7uVMJr9IT5LP4m8DxFiV+8oTiqVug -lA875ipallERiQ6M519jOpjZsBoxUCoS7KSnE1lI2M1R7Evtzp+U0Rv5ybk568xx -4d+yH2XEmmm9Cz89/oeDSbjz90cY5rYE/K0fB4XRC1pJt4n6YvxtHteyhZtj+nQE -WoHSbWOLfZi+AUAGVGZbL5yeZLyR+g7uvalc4VZ5kEIInlHOjxy2eeKJMIdFUip0 -jtspCK/qgVK71XfS6eCiRh8HssiB7UjtvuaO7cCNelmx1+aBuyQ2HWxwazSloYt4 -VmTEw1IOPOWAiadJFG4Ps8s2BhZbjg== -=dgKG +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1kACgkQ406fOAL/ +QQA28Af/fUBaWQTiTJCEQXQOXHRaCzNFu6F1JPm+G4V9P6kPUEZRzedz4DJ8o7Zm +KitWhcgb0l5IoPhZtltcwvSXsCIOaKKUJtry7tARM3up2Y1+0tGcQhYsIfg171QA +32gPl9lP2s88JLLi6lGPxuhIi5Hfxfi7vEF7sXFR/npWjUTnTKPinQfIbUXjtblh +jfreUQDLz9j+vmj0wbsydJfEOQ/KS9Eh847NHayMVdudIDJmreYh16v3H8Ijy90M +hDBTozr8PZcL9zJEbhvhiFhl8aqwOzypbOJ0kd+f/hBtgUAcCkjCDVpB5qoF/Mvb +TqzCKrbWjD+5yDae/Fhq96hsufWwTw== +=pjR7 -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-49099.md b/content/security/CVE-2026-49099.md index e990baea..4fa6d790 100644 --- a/content/security/CVE-2026-49099.md +++ b/content/security/CVE-2026-49099.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-49099 severity: MEDIUM -summary: "Apache Camel: Camel-Salesforce: Non-Camel-prefixed Exchange header constants (sObjectQuery, sObjectSearch, apexUrl, ...) bypass the HTTP header filter, allowing an HTTP client to inject SOQL/SOSL queries, override the target SObject, and redirect Apex REST calls using the connected Salesforce user's permissions" +summary: "Camel-Salesforce: Non-Camel-prefixed Exchange header constants (sObjectQuery, sObjectSearch, apexUrl, ...) bypass the HTTP header filter, allowing an HTTP client to inject SOQL/SOSL queries, override the target SObject, and redirect Apex REST calls using the connected Salesforce user's permissions" description: "The camel-salesforce producer resolves its operation parameters - the SOQL query, the SOSL search, the target SObject name and id, the Apex REST URL and method, and the Apex query parameters - from Exchange message headers, reading the header in preference to the value configured on the endpoint (AbstractSalesforceProcessor.getParameter() reads the header first and uses the endpoint configuration only as a fallback). The control-header constants in SalesforceEndpointConfig [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set Salesforce operation parameters via the raw header names must use the CamelSalesforce* names (for example CamelSalesforceSObjectQuery and CamelSalesforceApexUrl) instead of the old sObjec [...] credit: "This issue was discovered by Yu Bao from PayPal" diff --git a/content/security/CVE-2026-49099.txt.asc b/content/security/CVE-2026-49099.txt.asc index 1abacec3..ac5621bd 100644 --- a/content/security/CVE-2026-49099.txt.asc +++ b/content/security/CVE-2026-49099.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-49099 severity: MEDIUM -summary: "Apache Camel: Camel-Salesforce: Non-Camel-prefixed Exchange header constants (sObjectQuery, sObjectSearch, apexUrl, ...) bypass the HTTP header filter, allowing an HTTP client to inject SOQL/SOSL queries, override the target SObject, and redirect Apex REST calls using the connected Salesforce user's permissions" +summary: "Camel-Salesforce: Non-Camel-prefixed Exchange header constants (sObjectQuery, sObjectSearch, apexUrl, ...) bypass the HTTP header filter, allowing an HTTP client to inject SOQL/SOSL queries, override the target SObject, and redirect Apex REST calls using the connected Salesforce user's permissions" description: "The camel-salesforce producer resolves its operation parameters - the SOQL query, the SOSL search, the target SObject name and id, the Apex REST URL and method, and the Apex query parameters - from Exchange message headers, reading the header in preference to the value configured on the endpoint (AbstractSalesforceProcessor.getParameter() reads the header first and uses the endpoint configuration only as a fallback). The control-header constants in SalesforceEndpointConfig [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set Salesforce operation parameters via the raw header names must use the CamelSalesforce* names (for example CamelSalesforceSObjectQuery and CamelSalesforceApexUrl) instead of the old sObjec [...] credit: "This issue was discovered by Yu Bao from PayPal" @@ -20,12 +20,12 @@ fixed: 4.14.8, 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23716 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23887 (commit 3445c57e147da12ccfdde066c06ec5492d8c262b) and backported to camel-4.18.x (commit 578eb2a0a089c94f507853a737d7c46365f0272e) and camel-4.14.x (commit 48880af9d401e8c03473a14bd652ce012b66157b). The fix renames the 39 producer-read camel-salesforce Exchange header const [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0oACgkQ406fOAL/ -QQC2Dwf/ZfZYUGecOxRHjtR+mkmlXgZ2XNpIcrCNP42dH1blwuSIEiktZi0gEuMW -MYhnIH+82vjcYJdLjT69xFdzChEFh/fHs8NZTK4DqcKo/4XboNUfEQEDdZ6Bcttm -dciFNFcrSDif7BknJakPqvRhaQ9SvDXWXVEn0TkK8DTyJIc6YwnckvyoXuTFIpH1 -uTYtwluPXWkEZi2Vkl52F5l0SW+9pDotVoOavJpZ1cWJMKVoDm7nDRsr4h93klEs -V75W8gTOu+X025G0siFLn4JfeL9Fk8HPA3zfvUTgVbm6Cz9MZM4to5KmASOYoJ7c -10tGQiqkfj30qllgbynZZlqNnrW+8g== -=qJFH +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1kACgkQ406fOAL/ +QQBwuQf+NP58OBGxNEEEFWKGp/U1g07SL9v739nLjmdc8uMTNce15orvFm5AMvTe +3VunewnPF1BbPb+Xp8ZiRb+QfIuCvLTkB/jlUMUzRTWunvhBC0Voj3DVX6aDe/VX +TJGpqvhGKFajzrFMzXm2IsS+NOBCiSzqksnW3A/x56IeGHIct33wiF7k9ATjqDIL +xtC3XUsU0dWkq4hWVrsGgZb6HXZ0G2wW3dKQ3MjGTKqIbwbW0BZspjYj2gTxC0lm +RmQKJC37LRMAg9aJo++SPhCwMJKURTzYOQh23rZMfDM5GTCO5FbyqWtit0tZko4z +YT46Z2lR+dpsSIXX4hzfDPE5IP2lZQ== +=4nvg -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-49365.md b/content/security/CVE-2026-49365.md index 7ba889c8..664f1673 100644 --- a/content/security/CVE-2026-49365.md +++ b/content/security/CVE-2026-49365.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-49365 severity: MEDIUM -summary: "Apache Camel: Camel-Netty-HTTP and Camel-Undertow: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients" +summary: "Camel-Netty-HTTP and Camel-Undertow: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients" description: "The camel-netty-http and camel-undertow HTTP server consumers expose a muteException option that controls what is returned to the client when a route processing error occurs. In both components this option defaulted to false - in camel-netty-http because the backing field was an uninitialised primitive boolean (Java's default of false), and in camel-undertow likewise - whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platfor [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-netty-http and camel-undertow consumers (for example netty-http:http://0.0.0.0:8080/api?muteException=true, or globally via [...] credit: "This issue was discovered by Yu Bao from PayPal" diff --git a/content/security/CVE-2026-49365.txt.asc b/content/security/CVE-2026-49365.txt.asc index 871599de..e01c1331 100644 --- a/content/security/CVE-2026-49365.txt.asc +++ b/content/security/CVE-2026-49365.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-49365 severity: MEDIUM -summary: "Apache Camel: Camel-Netty-HTTP and Camel-Undertow: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients" +summary: "Camel-Netty-HTTP and Camel-Undertow: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients" description: "The camel-netty-http and camel-undertow HTTP server consumers expose a muteException option that controls what is returned to the client when a route processing error occurs. In both components this option defaulted to false - in camel-netty-http because the backing field was an uninitialised primitive boolean (Java's default of false), and in camel-undertow likewise - whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platfor [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-netty-http and camel-undertow consumers (for example netty-http:http://0.0.0.0:8080/api?muteException=true, or globally via [...] credit: "This issue was discovered by Yu Bao from PayPal" @@ -20,12 +20,12 @@ fixed: 4.14.8, 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23651 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23913 (commit 6cea553aa42ed1326ac57ad800d66674bc453932) and backported to camel-4.18.x (commit 1bd7389bd244da719404cf66d5b3676d41498bec) and camel-4.14.x (commit d3a13956ad2fd7280ad3ab678d79caf3bd0b4661). The fix aligns the muteException consumer-option default in camel-netty-htt [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0oACgkQ406fOAL/ -QQAmrAgAlj+tDSZ4/gtiIW41O31rLAvgMJ0U0hVefE354YUob/ca1mNkk35EEsAk -KdhXYXNTmN0ux4TIA5KvTCfGR4kp0jCBjShM4xOKZKNrSXWFoHoiUk/jn1CkYP8n -+JpIlc+33wqzCyWAkvgpJdfQdcaEeYoMP7WecWeX3hdF+QhvOr8veZXaDw2aMqug -uDRoUiWuzHHQjPts/nU2YnDGg2wGutXS+NakFbxbiKD21mM0nXRBeipJ21lq5eZ8 -vb1s8jU0BFSlJPKjKTypQKZFVrssTnUmehbXwRh2192i7TxaxnlUVD7qvDjhxOL8 -ex6SFZqtL6S8hS/w/5q5CHL2Oo16TQ== -=9yZh +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1oACgkQ406fOAL/ +QQBrwQgAi6I2aggOCjyAMMi0SNscu+VFqJI/MdIiFJnW+A2KVh4GGeui2jrMcg2t +71OlDX+fQkmMBVhZQX4RfB4yfqBcXXSKWxdvfiTWuFU8uLGFZ31TSmYo51nnj37E +xDsNoa7DQ4ZJjpxud0AqV80+Mpb/vkxr1MxcM9Qloj8HHR80gWR9c/WmNayfIvlv +cCX41FsrSFOJpvfwA1bibq6AongRAI6yrtgBzTpd/SUqM3gGe2CVKE6nXi1ZQ2WN +y4JL+OoHYvPMQV+YsrCPGkyQRDOkVwzRW9ii7scOa1jUUnHQVqgBWFn8KFrIRoaZ +jM5883ZFwq0eDs3yXPfaqF0cHiEOSA== +=vOpR -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-53913.md b/content/security/CVE-2026-53913.md index d5c81934..85aefed7 100644 --- a/content/security/CVE-2026-53913.md +++ b/content/security/CVE-2026-53913.md @@ -6,7 +6,7 @@ draft: false type: security-advisory cve: CVE-2026-53913 severity: HIGH -summary: "Apache Camel: Camel-Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration (no required roles or permissions) the token is never verified and any non-null bearer value is accepted - a fail-open authentication bypass" +summary: "Camel-Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration (no required roles or permissions) the token is never verified and any non-null bearer value is accepted - a fail-open authentication bypass" description: "The KeycloakSecurityPolicy of camel-keycloak guards a route by running KeycloakSecurityProcessor.beforeProcess(), which performs three checks in sequence: it rejects a request that carries no access token, then - only if requiredRoles is non-empty - validates the roles, and - only if requiredPermissions is non-empty - validates the permissions. The actual cryptographic verification of the bearer access token (signature, issuer and expiry for a local JWT, or active-state and [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, configure a non-empty requiredRoles or requiredPermissions on every KeycloakSecurityPolicy so that the token-verification path is exercised, set allowTokenFromHeader to false where the token is not expected from the request header, or perform token verification at [...] credit: "This issue was discovered by Lidor Ben Shitrit from Novee Security" diff --git a/content/security/CVE-2026-53913.txt.asc b/content/security/CVE-2026-53913.txt.asc index 51bb8aa3..c04e5d9b 100644 --- a/content/security/CVE-2026-53913.txt.asc +++ b/content/security/CVE-2026-53913.txt.asc @@ -9,7 +9,7 @@ draft: false type: security-advisory cve: CVE-2026-53913 severity: HIGH -summary: "Apache Camel: Camel-Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration (no required roles or permissions) the token is never verified and any non-null bearer value is accepted - a fail-open authentication bypass" +summary: "Camel-Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration (no required roles or permissions) the token is never verified and any non-null bearer value is accepted - a fail-open authentication bypass" description: "The KeycloakSecurityPolicy of camel-keycloak guards a route by running KeycloakSecurityProcessor.beforeProcess(), which performs three checks in sequence: it rejects a request that carries no access token, then - only if requiredRoles is non-empty - validates the roles, and - only if requiredPermissions is non-empty - validates the permissions. The actual cryptographic verification of the bearer access token (signature, issuer and expiry for a local JWT, or active-state and [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, configure a non-empty requiredRoles or requiredPermissions on every KeycloakSecurityPolicy so that the token-verification path is exercised, set allowTokenFromHeader to false where the token is not expected from the request header, or perform token verification at [...] credit: "This issue was discovered by Lidor Ben Shitrit from Novee Security" @@ -20,12 +20,12 @@ fixed: 4.18.3 and 4.21.0 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23738 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23958 (commit 1477cb4e87b2c301f1cdcddca5b153fbbef6934b) and backported to camel-4.18.x (commit b62170072348cc4073ddf705ad716aa3678d6c09). The fix makes KeycloakSecurityProcessor.beforeProcess() always authenticate the access token when one is present, independently of whether rol [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0oACgkQ406fOAL/ -QQB2pAf+JGsU4P7qMm29/EJMFDv1myuKYrK8V7Ft0ShxmcO4lxSlGpaY2Ht4vqS6 -cfYK3twDSp3PyDbyPmfV0vjYT5tuYKKLZAL4S3GX1MmMhEtnCMkiGZ/EyU7ZaaJ/ -+Kzkmsh1zS69XikwGIaVRwd3bY0H/IjfHO2XVoAcXikJ0LX4x3g/7CjwQNVfLMHV -2X7MyDeSwlmvuo8p9LyNG+aIUk/QX8ncezbshRrRgbCoF/q2Y75wthPjrSTIIUok -KS4WNhqT5l3mVc7TbNJQn3TZ+aY0/40ydpDabBTiEuYcyIhsTP6Qpuop0fCIK+bf -p5r0V24ABl97PaKVRwROdH4AKYJokA== -=uDCR +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1oACgkQ406fOAL/ +QQCuPQf/SoUiMZd6aC4u32cTeMeinJxY3eoI3ILCwJiUJkH30DhOtnZTKeJQ9ZWR +qM4LjkhaS+BhmIXULPsimSPq4lODKkLTj1ZkQb0b+aqtf9MzYKK9vSz5g508yAnh +Etg14qnR4UF8KAVmvBJzMHm3UQ+GCOevc7l29t6RnXgF9VLySVVkVHPR5CiVoUMT +eQK7eHg8UZetxBTf2KWW+QPHOzWXwGIyCzWPNv42PFHrxsBXkQ0kOZl+23KrafXl +KmvgoZGkO5k7gpi24TZU0LmGu1n2FDInR8cwoITPMk5InWLCwdWw+mcrup1SUnT6 +NpNuTlnkm8XbdbKhs6IPUkCOlyEoNg== +=bQeG -----END PGP SIGNATURE-----
