This is an automated email from the ASF dual-hosted git repository. oscerd pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit b681723be61d8939c1d02a9899c6c3aa281a861b Author: Andrea Cosentino <[email protected]> AuthorDate: Mon Jun 15 12:27:06 2026 +0200 Added CVE-2026-46585 Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2026-46585.md | 17 +++++++++++++++++ content/security/CVE-2026-46585.txt.asc | 31 +++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/content/security/CVE-2026-46585.md b/content/security/CVE-2026-46585.md new file mode 100644 index 00000000..d230f47b --- /dev/null +++ b/content/security/CVE-2026-46585.md @@ -0,0 +1,17 @@ +--- +title: "Apache Camel Security Advisory - CVE-2026-46585" +date: 2026-06-10T10:00:00+02:00 +url: /security/CVE-2026-46585.html +draft: false +type: security-advisory +cve: CVE-2026-46585 +severity: MEDIUM +summary: "Apache Camel: Camel-Lucene: The query control headers used non-Camel-prefixed names (QUERY, RETURN_LUCENE_DOCS) that bypass the HTTP header filter, allowing an HTTP client to inject the full-text search query" +description: "The camel-lucene producer reads the search phrase from an Exchange header (LuceneConstants.HEADER_QUERY) whose value was the plain string QUERY (and RETURN_LUCENE_DOCS for HEADER_RETURN_LUCENE_DOCS). Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that exposes a Lucene query operation [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set the query via the raw header name must use CamelLuceneQuery (and CamelLuceneReturnLuceneDocs) instead of QUERY / RETURN_LUCENE_DOCS. For deployments that cannot upgrade immediately, strip [...] +credit: "This issue was discovered by Andrea Cosentino from the Apache Software Foundation and Yu Bao from PayPal" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +--- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23509 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23208 (commit 878ea07996caff19ed227984bf6cb6cf01983422) and backported to camel-4.18.x (commit 16a70d48145605c1a35e909d308bf9e5e2d3e7d8) and camel-4.14.x (commit 349f197115d60e0c180cf9836e08f4aeb5a87872). The fix renames the camel-lucene Exchange header values to the Camel conven [...] diff --git a/content/security/CVE-2026-46585.txt.asc b/content/security/CVE-2026-46585.txt.asc new file mode 100644 index 00000000..66976542 --- /dev/null +++ b/content/security/CVE-2026-46585.txt.asc @@ -0,0 +1,31 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +- --- +title: "Apache Camel Security Advisory - CVE-2026-46585" +date: 2026-06-10T10:00:00+02:00 +url: /security/CVE-2026-46585.html +draft: false +type: security-advisory +cve: CVE-2026-46585 +severity: MEDIUM +summary: "Apache Camel: Camel-Lucene: The query control headers used non-Camel-prefixed names (QUERY, RETURN_LUCENE_DOCS) that bypass the HTTP header filter, allowing an HTTP client to inject the full-text search query" +description: "The camel-lucene producer reads the search phrase from an Exchange header (LuceneConstants.HEADER_QUERY) whose value was the plain string QUERY (and RETURN_LUCENE_DOCS for HEADER_RETURN_LUCENE_DOCS). Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that exposes a Lucene query operation [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set the query via the raw header name must use CamelLuceneQuery (and CamelLuceneReturnLuceneDocs) instead of QUERY / RETURN_LUCENE_DOCS. For deployments that cannot upgrade immediately, strip [...] +credit: "This issue was discovered by Andrea Cosentino from the Apache Software Foundation and Yu Bao from PayPal" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +- --- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23509 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23208 (commit 878ea07996caff19ed227984bf6cb6cf01983422) and backported to camel-4.18.x (commit 16a70d48145605c1a35e909d308bf9e5e2d3e7d8) and camel-4.14.x (commit 349f197115d60e0c180cf9836e08f4aeb5a87872). The fix renames the camel-lucene Exchange header values to the Camel conven [...] +-----BEGIN PGP SIGNATURE----- + +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/ +QQC3GggAnZOT1B4CJk0IS6DqwsJKrl1PTGC6u84vl7R1x6P5Y/c6yurVduLBy4ov +HXeB1Abkr2NXJr24OTUT3jov5Mwju6wwzrzznukMpPW34rm+9UzyzxyuFRAU4Nw/ +0Ybxx43ixIy4+dOYxVZfIUEmUQ79Hyiy7WMsjFylUFAEeeJ3gEDPDXO21e/KJ2FM +C9ZY98n9PgLbNeKpYPMEghOf71JVhlWwJTGM57NdeX9bBYPjYJTX3CWuEvAb8AR9 +Q8oPy59r5oiw2WB7JEzvPCPMgnSF06QzqjDl5zkpeGzwK8bYmhlokascvKmxdffK +qXorC3BLZVsPyD1CCNGRtUwcbXImTQ== +=AxD0 +-----END PGP SIGNATURE-----
