This is an automated email from the ASF dual-hosted git repository.

oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git

commit 16ea85c46c818db260b0f2124c8e84bccdef1862
Author: Andrea Cosentino <[email protected]>
AuthorDate: Fri Jun 19 12:03:03 2026 +0200

    Split CVE-2026-49365 to camel-netty-http only and add CVE-2026-56139 
(camel-undertow)
    
    CVE-2026-49365 covered both camel-netty-http and camel-undertow; narrow it 
to camel-netty-http and document the same insecure muteException=false default 
for camel-undertow in a dedicated CVE-2026-56139, including the undertow-only 
Rest DSL bug (RestUndertowHttpBinding hard-coded muteException to false). Both 
share the CAMEL-23651 fix (PR apache/camel#23913) and cross-reference each 
other. Also corrected the 4.18.x/4.14.x backport commit hashes: the published 
CVE-2026-49365 cited an u [...]
    
    Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
    Signed-off-by: Andrea Cosentino <[email protected]>
---
 content/security/CVE-2026-49365.md      |  8 ++++----
 content/security/CVE-2026-49365.txt.asc | 24 ++++++++++++------------
 content/security/CVE-2026-56139.md      | 17 +++++++++++++++++
 content/security/CVE-2026-56139.txt.asc | 31 +++++++++++++++++++++++++++++++
 4 files changed, 64 insertions(+), 16 deletions(-)

diff --git a/content/security/CVE-2026-49365.md 
b/content/security/CVE-2026-49365.md
index 664f1673..911531fe 100644
--- a/content/security/CVE-2026-49365.md
+++ b/content/security/CVE-2026-49365.md
@@ -6,12 +6,12 @@ draft: false
 type: security-advisory
 cve: CVE-2026-49365
 severity: MEDIUM
-summary: "Camel-Netty-HTTP and Camel-Undertow: The muteException consumer 
option defaulted to false, so a processing error returned the full Java stack 
trace in the HTTP response body, disclosing sensitive internal information to 
unauthenticated clients"
-description: "The camel-netty-http and camel-undertow HTTP server consumers 
expose a muteException option that controls what is returned to the client when 
a route processing error occurs. In both components this option defaulted to 
false - in camel-netty-http because the backing field was an uninitialised 
primitive boolean (Java's default of false), and in camel-undertow likewise - 
whereas the other Camel HTTP server components (camel-http / camel-jetty / 
camel-servlet and camel-platfor [...]
-mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. For deployments that cannot 
upgrade immediately, set muteException=true explicitly on the camel-netty-http 
and camel-undertow consumers (for example 
netty-http:http://0.0.0.0:8080/api?muteException=true, or globally via  [...]
+summary: "Camel-Netty-HTTP: The muteException consumer option defaulted to 
false, so a processing error returned the full Java stack trace in the HTTP 
response body, disclosing sensitive internal information to unauthenticated 
clients"
+description: "The camel-netty-http HTTP server consumer exposes a 
muteException option that controls what is returned to the client when a route 
processing error occurs. This option defaulted to false because the backing 
field was an uninitialised primitive boolean (Java's default of false), whereas 
the other Camel HTTP server components (camel-http / camel-jetty / 
camel-servlet and camel-platform-http) default it to true. With 
muteException=false, when a request triggers an exception du [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. For deployments that cannot 
upgrade immediately, set muteException=true explicitly on the camel-netty-http 
consumer (for example netty-http:http://0.0.0.0:8080/api?muteException=true, or 
globally via the camel.component. [...]
 credit: "This issue was discovered by Yu Bao from PayPal"
 affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
 fixed: 4.14.8, 4.18.3 and 4.21.0
 ---
 
-The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23651 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23913 (commit 
6cea553aa42ed1326ac57ad800d66674bc453932) and backported to camel-4.18.x 
(commit 1bd7389bd244da719404cf66d5b3676d41498bec) and camel-4.14.x (commit 
d3a13956ad2fd7280ad3ab678d79caf3bd0b4661). The fix aligns the muteException 
consumer-option default in camel-netty-htt [...]
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23651 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23913 (commit 
6cea553aa42ed1326ac57ad800d66674bc453932) and backported to camel-4.18.x 
(commit fdcf67a00470783ccb93b948883b6a4c5275aff5) and camel-4.14.x (commit 
b1badb58a407e4d16c8b6bba81650d4c68e55eaf). The fix aligns the muteException 
consumer-option default in camel-netty-htt [...]
diff --git a/content/security/CVE-2026-49365.txt.asc 
b/content/security/CVE-2026-49365.txt.asc
index e01c1331..a702dfbc 100644
--- a/content/security/CVE-2026-49365.txt.asc
+++ b/content/security/CVE-2026-49365.txt.asc
@@ -9,23 +9,23 @@ draft: false
 type: security-advisory
 cve: CVE-2026-49365
 severity: MEDIUM
-summary: "Camel-Netty-HTTP and Camel-Undertow: The muteException consumer 
option defaulted to false, so a processing error returned the full Java stack 
trace in the HTTP response body, disclosing sensitive internal information to 
unauthenticated clients"
-description: "The camel-netty-http and camel-undertow HTTP server consumers 
expose a muteException option that controls what is returned to the client when 
a route processing error occurs. In both components this option defaulted to 
false - in camel-netty-http because the backing field was an uninitialised 
primitive boolean (Java's default of false), and in camel-undertow likewise - 
whereas the other Camel HTTP server components (camel-http / camel-jetty / 
camel-servlet and camel-platfor [...]
-mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. For deployments that cannot 
upgrade immediately, set muteException=true explicitly on the camel-netty-http 
and camel-undertow consumers (for example 
netty-http:http://0.0.0.0:8080/api?muteException=true, or globally via  [...]
+summary: "Camel-Netty-HTTP: The muteException consumer option defaulted to 
false, so a processing error returned the full Java stack trace in the HTTP 
response body, disclosing sensitive internal information to unauthenticated 
clients"
+description: "The camel-netty-http HTTP server consumer exposes a 
muteException option that controls what is returned to the client when a route 
processing error occurs. This option defaulted to false because the backing 
field was an uninitialised primitive boolean (Java's default of false), whereas 
the other Camel HTTP server components (camel-http / camel-jetty / 
camel-servlet and camel-platform-http) default it to true. With 
muteException=false, when a request triggers an exception du [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. For deployments that cannot 
upgrade immediately, set muteException=true explicitly on the camel-netty-http 
consumer (for example netty-http:http://0.0.0.0:8080/api?muteException=true, or 
globally via the camel.component. [...]
 credit: "This issue was discovered by Yu Bao from PayPal"
 affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
 fixed: 4.14.8, 4.18.3 and 4.21.0
 - ---
 
-The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23651 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23913 (commit 
6cea553aa42ed1326ac57ad800d66674bc453932) and backported to camel-4.18.x 
(commit 1bd7389bd244da719404cf66d5b3676d41498bec) and camel-4.14.x (commit 
d3a13956ad2fd7280ad3ab678d79caf3bd0b4661). The fix aligns the muteException 
consumer-option default in camel-netty-htt [...]
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23651 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23913 (commit 
6cea553aa42ed1326ac57ad800d66674bc453932) and backported to camel-4.18.x 
(commit fdcf67a00470783ccb93b948883b6a4c5275aff5) and camel-4.14.x (commit 
b1badb58a407e4d16c8b6bba81650d4c68e55eaf). The fix aligns the muteException 
consumer-option default in camel-netty-htt [...]
 -----BEGIN PGP SIGNATURE-----
 
-iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1oACgkQ406fOAL/
-QQBrwQgAi6I2aggOCjyAMMi0SNscu+VFqJI/MdIiFJnW+A2KVh4GGeui2jrMcg2t
-71OlDX+fQkmMBVhZQX4RfB4yfqBcXXSKWxdvfiTWuFU8uLGFZ31TSmYo51nnj37E
-xDsNoa7DQ4ZJjpxud0AqV80+Mpb/vkxr1MxcM9Qloj8HHR80gWR9c/WmNayfIvlv
-cCX41FsrSFOJpvfwA1bibq6AongRAI6yrtgBzTpd/SUqM3gGe2CVKE6nXi1ZQ2WN
-y4JL+OoHYvPMQV+YsrCPGkyQRDOkVwzRW9ii7scOa1jUUnHQVqgBWFn8KFrIRoaZ
-jM5883ZFwq0eDs3yXPfaqF0cHiEOSA==
-=vOpR
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmo1E5cACgkQ406fOAL/
+QQDr4wf/QKxsfZDpVylUF6yiQpLRf5y+NLF4TKSBHz3sLS91IQElXrQg+pC4UTVJ
+O22HkUXt9ViMh1zff8ZR9qrBcqmmtx/ndLOMTiXxMpmXMIToapNSUEpVYVlmVKfU
+PLMKhDQWKF1aWDDqP1S5SN8cEvny4WcsCdI7vBHuuHdI/6cEv5NShHXC0XKfyOMB
+dMy+kPxukIKdFbsc2wNk1JJ6cvkpVFwh1MyMmpGYrTdjQ7okVMD3OZkYrWFgiTXI
+EQIaoENSM5mfk4V1EFeUW9BQvyOfd139v5qP5alW6Dhl/KLccMJq64COAwpGHpGz
+eqBKKuroW7UjPy8hF9ui2r7H/6+PKg==
+=e1/w
 -----END PGP SIGNATURE-----
diff --git a/content/security/CVE-2026-56139.md 
b/content/security/CVE-2026-56139.md
new file mode 100644
index 00000000..b4254118
--- /dev/null
+++ b/content/security/CVE-2026-56139.md
@@ -0,0 +1,17 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-56139"
+date: 2026-06-18T10:00:00+02:00
+url: /security/CVE-2026-56139.html
+draft: false
+type: security-advisory
+cve: CVE-2026-56139
+severity: MEDIUM
+summary: "Camel-Undertow: The muteException consumer option defaulted to 
false, so a processing error returned the full Java stack trace in the HTTP 
response body, disclosing sensitive internal information to unauthenticated 
clients - and the option was not honoured at all for Rest DSL consumers"
+description: "The camel-undertow HTTP server consumer exposes a muteException 
option that controls what is returned to the client when a route processing 
error occurs. This option defaulted to false, whereas the other Camel HTTP 
server components (camel-http / camel-jetty / camel-servlet and 
camel-platform-http) default it to true. With muteException=false, when a 
request triggers an exception during route processing the consumer writes the 
full Throwable stack trace into the HTTP respon [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. For deployments that cannot 
upgrade immediately, set muteException=true explicitly on the camel-undertow 
consumer (for example undertow:http://0.0.0.0:8080/api?muteException=true, or 
globally via the camel.component.unde [...]
+credit: "This issue was discovered by Yu Bao from PayPal"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23651 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23913 (commit 
6cea553aa42ed1326ac57ad800d66674bc453932) and backported to camel-4.18.x 
(commit fdcf67a00470783ccb93b948883b6a4c5275aff5) and camel-4.14.x (commit 
b1badb58a407e4d16c8b6bba81650d4c68e55eaf). The fix aligns the muteException 
consumer-option default in camel-undertow  [...]
diff --git a/content/security/CVE-2026-56139.txt.asc 
b/content/security/CVE-2026-56139.txt.asc
new file mode 100644
index 00000000..e809117e
--- /dev/null
+++ b/content/security/CVE-2026-56139.txt.asc
@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-56139"
+date: 2026-06-18T10:00:00+02:00
+url: /security/CVE-2026-56139.html
+draft: false
+type: security-advisory
+cve: CVE-2026-56139
+severity: MEDIUM
+summary: "Camel-Undertow: The muteException consumer option defaulted to 
false, so a processing error returned the full Java stack trace in the HTTP 
response body, disclosing sensitive internal information to unauthenticated 
clients - and the option was not honoured at all for Rest DSL consumers"
+description: "The camel-undertow HTTP server consumer exposes a muteException 
option that controls what is returned to the client when a route processing 
error occurs. This option defaulted to false, whereas the other Camel HTTP 
server components (camel-http / camel-jetty / camel-servlet and 
camel-platform-http) default it to true. With muteException=false, when a 
request triggers an exception during route processing the consumer writes the 
full Throwable stack trace into the HTTP respon [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. For deployments that cannot 
upgrade immediately, set muteException=true explicitly on the camel-undertow 
consumer (for example undertow:http://0.0.0.0:8080/api?muteException=true, or 
globally via the camel.component.unde [...]
+credit: "This issue was discovered by Yu Bao from PayPal"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23651 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23913 (commit 
6cea553aa42ed1326ac57ad800d66674bc453932) and backported to camel-4.18.x 
(commit fdcf67a00470783ccb93b948883b6a4c5275aff5) and camel-4.14.x (commit 
b1badb58a407e4d16c8b6bba81650d4c68e55eaf). The fix aligns the muteException 
consumer-option default in camel-undertow  [...]
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmo1E58ACgkQ406fOAL/
+QQBAOQf/RSFXBJ5nNKE5+o2MNyGPPne7TK2Wfps1sR3djZs2nUJqqH4NuQBHVZVC
+ZcYaA5hV6qDEt3iDmyWhYT8fpMnwzXjwB0dw2Q7c3YE7Nxymngj29fj/8AXwCr6Z
+sao1h/JunTXwKEqMiejS40jkDkxjduRcnbygMDfcXtph9kt67sq+BK7yvSSiaseN
+1yld++Yfexh9v661odDX+pmo1MK3aERbERY2Q/h0XGKBmfKEf+P4lNa1lIBBF6XW
+e2IoFgnWFGa58hadnXl1coquRRqAnloBUpikkqdpexpSfgUMiVBh2ZCFOUW/Bu+1
+Sv0VLyP64j0RSnyD4M8GINbIs5mZIQ==
+=Asqi
+-----END PGP SIGNATURE-----

Reply via email to