This is an automated email from the ASF dual-hosted git repository.

oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git

commit b681723be61d8939c1d02a9899c6c3aa281a861b
Author: Andrea Cosentino <[email protected]>
AuthorDate: Mon Jun 15 12:27:06 2026 +0200

    Added CVE-2026-46585
    
    Signed-off-by: Andrea Cosentino <[email protected]>
---
 content/security/CVE-2026-46585.md      | 17 +++++++++++++++++
 content/security/CVE-2026-46585.txt.asc | 31 +++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/content/security/CVE-2026-46585.md 
b/content/security/CVE-2026-46585.md
new file mode 100644
index 00000000..d230f47b
--- /dev/null
+++ b/content/security/CVE-2026-46585.md
@@ -0,0 +1,17 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-46585"
+date: 2026-06-10T10:00:00+02:00
+url: /security/CVE-2026-46585.html
+draft: false
+type: security-advisory
+cve: CVE-2026-46585
+severity: MEDIUM
+summary: "Apache Camel: Camel-Lucene: The query control headers used 
non-Camel-prefixed names (QUERY, RETURN_LUCENE_DOCS) that bypass the HTTP 
header filter, allowing an HTTP client to inject the full-text search query"
+description: "The camel-lucene producer reads the search phrase from an 
Exchange header (LuceneConstants.HEADER_QUERY) whose value was the plain string 
QUERY (and RETURN_LUCENE_DOCS for HEADER_RETURN_LUCENE_DOCS). Because these 
names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - 
which blocks only the Camel header namespace on the HTTP boundary - let them 
pass from an inbound HTTP request straight into the Exchange. In a route that 
exposes a Lucene query operation [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. After upgrading, routes that set 
the query via the raw header name must use CamelLuceneQuery (and 
CamelLuceneReturnLuceneDocs) instead of QUERY / RETURN_LUCENE_DOCS. For 
deployments that cannot upgrade immediately, strip [...]
+credit: "This issue was discovered by Andrea Cosentino from the Apache 
Software Foundation and Yu Bao from PayPal"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23509 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23208 (commit 
878ea07996caff19ed227984bf6cb6cf01983422) and backported to camel-4.18.x 
(commit 16a70d48145605c1a35e909d308bf9e5e2d3e7d8) and camel-4.14.x (commit 
349f197115d60e0c180cf9836e08f4aeb5a87872). The fix renames the camel-lucene 
Exchange header values to the Camel conven [...]
diff --git a/content/security/CVE-2026-46585.txt.asc 
b/content/security/CVE-2026-46585.txt.asc
new file mode 100644
index 00000000..66976542
--- /dev/null
+++ b/content/security/CVE-2026-46585.txt.asc
@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-46585"
+date: 2026-06-10T10:00:00+02:00
+url: /security/CVE-2026-46585.html
+draft: false
+type: security-advisory
+cve: CVE-2026-46585
+severity: MEDIUM
+summary: "Apache Camel: Camel-Lucene: The query control headers used 
non-Camel-prefixed names (QUERY, RETURN_LUCENE_DOCS) that bypass the HTTP 
header filter, allowing an HTTP client to inject the full-text search query"
+description: "The camel-lucene producer reads the search phrase from an 
Exchange header (LuceneConstants.HEADER_QUERY) whose value was the plain string 
QUERY (and RETURN_LUCENE_DOCS for HEADER_RETURN_LUCENE_DOCS). Because these 
names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - 
which blocks only the Camel header namespace on the HTTP boundary - let them 
pass from an inbound HTTP request straight into the Exchange. In a route that 
exposes a Lucene query operation [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. After upgrading, routes that set 
the query via the raw header name must use CamelLuceneQuery (and 
CamelLuceneReturnLuceneDocs) instead of QUERY / RETURN_LUCENE_DOCS. For 
deployments that cannot upgrade immediately, strip [...]
+credit: "This issue was discovered by Andrea Cosentino from the Apache 
Software Foundation and Yu Bao from PayPal"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23509 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23208 (commit 
878ea07996caff19ed227984bf6cb6cf01983422) and backported to camel-4.18.x 
(commit 16a70d48145605c1a35e909d308bf9e5e2d3e7d8) and camel-4.14.x (commit 
349f197115d60e0c180cf9836e08f4aeb5a87872). The fix renames the camel-lucene 
Exchange header values to the Camel conven [...]
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/
+QQC3GggAnZOT1B4CJk0IS6DqwsJKrl1PTGC6u84vl7R1x6P5Y/c6yurVduLBy4ov
+HXeB1Abkr2NXJr24OTUT3jov5Mwju6wwzrzznukMpPW34rm+9UzyzxyuFRAU4Nw/
+0Ybxx43ixIy4+dOYxVZfIUEmUQ79Hyiy7WMsjFylUFAEeeJ3gEDPDXO21e/KJ2FM
+C9ZY98n9PgLbNeKpYPMEghOf71JVhlWwJTGM57NdeX9bBYPjYJTX3CWuEvAb8AR9
+Q8oPy59r5oiw2WB7JEzvPCPMgnSF06QzqjDl5zkpeGzwK8bYmhlokascvKmxdffK
+qXorC3BLZVsPyD1CCNGRtUwcbXImTQ==
+=AxD0
+-----END PGP SIGNATURE-----

Reply via email to