This is an automated email from the ASF dual-hosted git repository.

oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git

commit a901befca08f07f6c6dee2febc78001341ca1aa5
Author: Andrea Cosentino <[email protected]>
AuthorDate: Mon Jun 15 12:27:06 2026 +0200

    Added CVE-2026-49097
    
    Signed-off-by: Andrea Cosentino <[email protected]>
---
 content/security/CVE-2026-49097.md      | 17 +++++++++++++++++
 content/security/CVE-2026-49097.txt.asc | 31 +++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/content/security/CVE-2026-49097.md 
b/content/security/CVE-2026-49097.md
new file mode 100644
index 00000000..c8acc06a
--- /dev/null
+++ b/content/security/CVE-2026-49097.md
@@ -0,0 +1,17 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-49097"
+date: 2026-06-11T10:00:00+02:00
+url: /security/CVE-2026-49097.html
+draft: false
+type: security-advisory
+cve: CVE-2026-49097
+severity: MEDIUM
+summary: "Apache Camel: Camel-IRC: The irc.sendTo (and other irc.*) Exchange 
header constants used non-Camel-prefixed names that bypass the HTTP header 
filter, allowing an HTTP client to redirect outgoing IRC messages to arbitrary 
channels or users"
+description: "The camel-irc producer chooses the destination of an outgoing 
IRC message from the irc.sendTo Exchange header (the constant 
IrcConstants.IRC_SEND_TO, value irc.sendTo); when that header is present it 
overrides the channel list configured on the endpoint, and the message is sent 
only to the specified destination. This and the component's other control 
headers (irc.target, irc.messageType, irc.user.*, irc.num, irc.value) used 
plain, non-Camel-prefixed values. Because these na [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. After upgrading, routes that set 
IRC headers via the raw header names must use the CamelIrc* names (for example 
CamelIrcSendTo) instead of the old irc.* values. For deployments that cannot 
upgrade immediately, strip the  [...]
+credit: "This issue was discovered by Yu Bao from PayPal"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23629 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23594 (commit 
0be886bf433c718abe4a27498245f6898366fb0c) and backported to camel-4.18.x 
(commit 2959633a6dd51a9736a9efaedaa843548fcd2d3e) and camel-4.14.x (commit 
18b64b47fda68b15f4eb9f7ce8148c8b9ec819a0). The fix renames the 10 camel-irc 
Exchange header constant values to the Cam [...]
diff --git a/content/security/CVE-2026-49097.txt.asc 
b/content/security/CVE-2026-49097.txt.asc
new file mode 100644
index 00000000..903eb459
--- /dev/null
+++ b/content/security/CVE-2026-49097.txt.asc
@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-49097"
+date: 2026-06-11T10:00:00+02:00
+url: /security/CVE-2026-49097.html
+draft: false
+type: security-advisory
+cve: CVE-2026-49097
+severity: MEDIUM
+summary: "Apache Camel: Camel-IRC: The irc.sendTo (and other irc.*) Exchange 
header constants used non-Camel-prefixed names that bypass the HTTP header 
filter, allowing an HTTP client to redirect outgoing IRC messages to arbitrary 
channels or users"
+description: "The camel-irc producer chooses the destination of an outgoing 
IRC message from the irc.sendTo Exchange header (the constant 
IrcConstants.IRC_SEND_TO, value irc.sendTo); when that header is present it 
overrides the channel list configured on the endpoint, and the message is sent 
only to the specified destination. This and the component's other control 
headers (irc.target, irc.messageType, irc.user.*, irc.num, irc.value) used 
plain, non-Camel-prefixed values. Because these na [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. After upgrading, routes that set 
IRC headers via the raw header names must use the CamelIrc* names (for example 
CamelIrcSendTo) instead of the old irc.* values. For deployments that cannot 
upgrade immediately, strip the  [...]
+credit: "This issue was discovered by Yu Bao from PayPal"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23629 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23594 (commit 
0be886bf433c718abe4a27498245f6898366fb0c) and backported to camel-4.18.x 
(commit 2959633a6dd51a9736a9efaedaa843548fcd2d3e) and camel-4.14.x (commit 
18b64b47fda68b15f4eb9f7ce8148c8b9ec819a0). The fix renames the 10 camel-irc 
Exchange header constant values to the Cam [...]
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0oACgkQ406fOAL/
+QQDuCQf9Gj5KnDvf5fPPTMs3R6HNEAFL8BHoObf2A4GJ8T1NxeHTXq6TFWZoUUGP
+kzdThKfMaqAeXzZ48yWLNSPkD+NXs3iyPhBuz3UNX2vva+cZpMkxSQd7rcaUI/+p
+5yhIhiB9E23dXolg/StV2qv9JyTj1onQQSu2yQA/RRUiYMPALav0wEkJBbBdpEHJ
+0+HqarYFHRUXBXixrX2dboCokhe6OTp5AWKwk69LZlM8GgvYSaBEJsWvPWsqODLv
+4iM3hNKPbxIIZ0wFbe3y4VG6E9pF0xebQMR0XEpphJosnls1n5129bSiMLvYMZfm
+ZwY4huCmw7KVWDv7nExj2KBzRjRcXA==
+=I/Ri
+-----END PGP SIGNATURE-----

Reply via email to