This is an automated email from the ASF dual-hosted git repository.
acosentino pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git
The following commit(s) were added to refs/heads/main by this push:
new cb0a96de Updated the CVE-2025-27636
cb0a96de is described below
commit cb0a96de9219c9a9c10618a18a61151dc93caa51
Author: Andrea Cosentino <[email protected]>
AuthorDate: Sun Mar 9 14:44:50 2025 +0100
Updated the CVE-2025-27636
Signed-off-by: Andrea Cosentino <[email protected]>
---
content/security/CVE-2025-27636.md | 6 +++---
content/security/CVE-2025-27636.txt.asc | 22 +++++++++++-----------
2 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/content/security/CVE-2025-27636.md
b/content/security/CVE-2025-27636.md
index 3c8e79c4..85712858 100644
--- a/content/security/CVE-2025-27636.md
+++ b/content/security/CVE-2025-27636.md
@@ -6,9 +6,9 @@ draft: false
type: security-advisory
cve: CVE-2025-27636
severity: MODERATE
-summary: "Apache Camel: Camel Message Header Injection via Improper Filtering"
-description: "The default header filter strategy in Camel could be bypassed by
altering the casing of letters. The default filtering mechanism that only
blocks headers starting with 'Camel', 'camel', or 'org.apache.camel.'. This
allows attackers to inject headers which can be exploited to invoke arbitrary
methods from the Bean registry and also supports using Simple Expression
Language (or OGNL in some cases) as part of the method parameters passed to the
bean. It's important to note tha [...]
-mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x
LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases."
+summary: "Apache Camel-Bean component: Camel Message Header Injection via
Improper Filtering"
+description: "This vulnerability is only present in the following situation.
The user is using one of the following HTTP Servers via one the of the
following Camel components: camel-servlet, camel-jetty, camel-undertow,
camel-platform-http and camel-netty-http and in the route, the exchange will be
routed to a camel-bean producer. So ONLY camel-bean component is affected. In
particular: The bean invocation (is only affected if you use any of the above
together with camel-bean component) [...]
+mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x
LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. Also, users could use
removeHeaders EIP, to filter out anything like "cAmel, cAMEL" etc, or in
general everything not starting with 'Camel', 'camel' or 'org.apache.camel.'. "
credit: "This issue was discovered by Mark Thorson of AT&T"
affected: Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5.
Apache Camel 3.10.0 before 3.22.4.
fixed: 3.22.4, 4.8.5 and 4.10.2
diff --git a/content/security/CVE-2025-27636.txt.asc
b/content/security/CVE-2025-27636.txt.asc
index 67b4701a..f812d8fd 100644
--- a/content/security/CVE-2025-27636.txt.asc
+++ b/content/security/CVE-2025-27636.txt.asc
@@ -9,9 +9,9 @@ draft: false
type: security-advisory
cve: CVE-2025-27636
severity: MODERATE
-summary: "Apache Camel: Camel Message Header Injection via Improper Filtering"
-description: "The default header filter strategy in Camel could be bypassed by
altering the casing of letters. The default filtering mechanism that only
blocks headers starting with 'Camel', 'camel', or 'org.apache.camel.'. This
allows attackers to inject headers which can be exploited to invoke arbitrary
methods from the Bean registry and also supports using Simple Expression
Language (or OGNL in some cases) as part of the method parameters passed to the
bean. It's important to note tha [...]
-mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x
LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases."
+summary: "Apache Camel-Bean component: Camel Message Header Injection via
Improper Filtering"
+description: "This vulnerability is only present in the following situation.
The user is using one of the following HTTP Servers via one the of the
following Camel components: camel-servlet, camel-jetty, camel-undertow,
camel-platform-http and camel-netty-http and in the route, the exchange will be
routed to a camel-bean producer. So ONLY camel-bean component is affected. In
particular: The bean invocation (is only affected if you use any of the above
together with camel-bean component) [...]
+mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x
LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. Also, users could use
removeHeaders EIP, to filter out anything like "cAmel, cAMEL" etc, or in
general everything not starting with 'Camel', 'camel' or 'org.apache.camel.'. "
credit: "This issue was discovered by Mark Thorson of AT&T"
affected: Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5.
Apache Camel 3.10.0 before 3.22.4.
fixed: 3.22.4, 4.8.5 and 4.10.2
@@ -20,12 +20,12 @@ fixed: 3.22.4, 4.8.5 and 4.10.2
The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-21828 refers to
the various commits that resolved the issue, and have more details.
-----BEGIN PGP SIGNATURE-----
-iQEzBAEBCAAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmfNc5IACgkQ406fOAL/
-QQBf3Qf7BIb5J4mT85gZHlcYtqGkUnS9BLJSAI2odYCy9M9bvskA9vIqVHLDPXrM
-YBKDaesnzGbdc9HFwJ9WLxKjwVjLfUL6UH02eSGrg2gHMKgMTvmumjLcHsYZIodl
-7ALbTjsU+RkdluDd9RUJylDGp8T7dFXPDs78adYNO5b+APdPk/jz1LpUQ1nCSzwV
-oOiiABPTJwK4qrPaWWApatbLYQulHsfWqXJ8guaeb/IbqV0u7jDD08/F5E1ph8AF
-zrrn4t4GLyU6OJUeiECy/ZP1w5MWzipt9cMPQn97oPbjJH4CGpQCS8pO6bMj5JXf
-/LITN6o6RMqDxSszdmF0UVfHbiCo8w==
-=KuUE
+iQEzBAEBCAAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmfNmz4ACgkQ406fOAL/
+QQDSyAf/RwNXqO/BjFAXQazhSAXU71/XUBLw+8eL4epas1iluOtEuYDbnKwM2E/1
+ORgQ3noWI8geNE1FPHij0chuDxNyv5N4dYKwTfOXbjDVMBgQj3cQxxjiZxqW7lA5
+ddLoBPcmS8F/UCMhP/HxHQitnTfi2zzcAZrZNZVLVSPUkMcHGMIOc5l6WLkVF1VE
+ehHp+UPupNryG+6/By2SoQGliE2U9pCja/UWSKJie5MzBblsQYaG0CE3n+4WuraU
+ZUQ60r3hOITn2SKnZw+aNrA2JyxgjHrIuG+HdMTBx5TKDCkhoX4ge4to3y7nZ/jo
+dkmW1ESK9gSkpYhlxPdXRdc4m3kVWg==
+=bIz5
-----END PGP SIGNATURE-----
