This is an automated email from the ASF dual-hosted git repository. oscerd pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit a901befca08f07f6c6dee2febc78001341ca1aa5 Author: Andrea Cosentino <[email protected]> AuthorDate: Mon Jun 15 12:27:06 2026 +0200 Added CVE-2026-49097 Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2026-49097.md | 17 +++++++++++++++++ content/security/CVE-2026-49097.txt.asc | 31 +++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/content/security/CVE-2026-49097.md b/content/security/CVE-2026-49097.md new file mode 100644 index 00000000..c8acc06a --- /dev/null +++ b/content/security/CVE-2026-49097.md @@ -0,0 +1,17 @@ +--- +title: "Apache Camel Security Advisory - CVE-2026-49097" +date: 2026-06-11T10:00:00+02:00 +url: /security/CVE-2026-49097.html +draft: false +type: security-advisory +cve: CVE-2026-49097 +severity: MEDIUM +summary: "Apache Camel: Camel-IRC: The irc.sendTo (and other irc.*) Exchange header constants used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to redirect outgoing IRC messages to arbitrary channels or users" +description: "The camel-irc producer chooses the destination of an outgoing IRC message from the irc.sendTo Exchange header (the constant IrcConstants.IRC_SEND_TO, value irc.sendTo); when that header is present it overrides the channel list configured on the endpoint, and the message is sent only to the specified destination. This and the component's other control headers (irc.target, irc.messageType, irc.user.*, irc.num, irc.value) used plain, non-Camel-prefixed values. Because these na [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set IRC headers via the raw header names must use the CamelIrc* names (for example CamelIrcSendTo) instead of the old irc.* values. For deployments that cannot upgrade immediately, strip the [...] +credit: "This issue was discovered by Yu Bao from PayPal" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +--- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23629 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23594 (commit 0be886bf433c718abe4a27498245f6898366fb0c) and backported to camel-4.18.x (commit 2959633a6dd51a9736a9efaedaa843548fcd2d3e) and camel-4.14.x (commit 18b64b47fda68b15f4eb9f7ce8148c8b9ec819a0). The fix renames the 10 camel-irc Exchange header constant values to the Cam [...] diff --git a/content/security/CVE-2026-49097.txt.asc b/content/security/CVE-2026-49097.txt.asc new file mode 100644 index 00000000..903eb459 --- /dev/null +++ b/content/security/CVE-2026-49097.txt.asc @@ -0,0 +1,31 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +- --- +title: "Apache Camel Security Advisory - CVE-2026-49097" +date: 2026-06-11T10:00:00+02:00 +url: /security/CVE-2026-49097.html +draft: false +type: security-advisory +cve: CVE-2026-49097 +severity: MEDIUM +summary: "Apache Camel: Camel-IRC: The irc.sendTo (and other irc.*) Exchange header constants used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to redirect outgoing IRC messages to arbitrary channels or users" +description: "The camel-irc producer chooses the destination of an outgoing IRC message from the irc.sendTo Exchange header (the constant IrcConstants.IRC_SEND_TO, value irc.sendTo); when that header is present it overrides the channel list configured on the endpoint, and the message is sent only to the specified destination. This and the component's other control headers (irc.target, irc.messageType, irc.user.*, irc.num, irc.value) used plain, non-Camel-prefixed values. Because these na [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set IRC headers via the raw header names must use the CamelIrc* names (for example CamelIrcSendTo) instead of the old irc.* values. For deployments that cannot upgrade immediately, strip the [...] +credit: "This issue was discovered by Yu Bao from PayPal" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +- --- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23629 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23594 (commit 0be886bf433c718abe4a27498245f6898366fb0c) and backported to camel-4.18.x (commit 2959633a6dd51a9736a9efaedaa843548fcd2d3e) and camel-4.14.x (commit 18b64b47fda68b15f4eb9f7ce8148c8b9ec819a0). The fix renames the 10 camel-irc Exchange header constant values to the Cam [...] +-----BEGIN PGP SIGNATURE----- + +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0oACgkQ406fOAL/ +QQDuCQf9Gj5KnDvf5fPPTMs3R6HNEAFL8BHoObf2A4GJ8T1NxeHTXq6TFWZoUUGP +kzdThKfMaqAeXzZ48yWLNSPkD+NXs3iyPhBuz3UNX2vva+cZpMkxSQd7rcaUI/+p +5yhIhiB9E23dXolg/StV2qv9JyTj1onQQSu2yQA/RRUiYMPALav0wEkJBbBdpEHJ +0+HqarYFHRUXBXixrX2dboCokhe6OTp5AWKwk69LZlM8GgvYSaBEJsWvPWsqODLv +4iM3hNKPbxIIZ0wFbe3y4VG6E9pF0xebQMR0XEpphJosnls1n5129bSiMLvYMZfm +ZwY4huCmw7KVWDv7nExj2KBzRjRcXA== +=I/Ri +-----END PGP SIGNATURE-----
