Severity: moderate 

Affected versions:

- Apache Camel (org.apache.camel:camel-solr) 4.0.0 before 4.14.8
- Apache Camel (org.apache.camel:camel-solr) 4.15.0 before 4.18.3
- Apache Camel (org.apache.camel:camel-solr) 4.19.0 before 4.21.0

Description:

Improper Neutralization of Special Elements in Output Used by a Downstream 
Component ('Injection'), Improper Input Validation, Server-Side Request Forgery 
(SSRF) vulnerability in Apache Camel Solr component.

The camel-solr producer copies Exchange message headers whose names begin with 
the SolrParam. prefix into the parameters of the Solr request, and headers 
whose names begin with the SolrField. prefix into the fields of the indexed 
Solr document. The prefix constants (SolrConstants.HEADER_PARAM_PREFIX / 
HEADER_FIELD_PREFIX) were the plain strings SolrParam. / SolrField.. Because 
these names do not start with the Camel / camel prefix, 
HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the 
HTTP boundary - let them pass from an inbound HTTP request straight into the 
Exchange. In a route that bridges an HTTP consumer (for example platform-http) 
into a solr: producer, any HTTP client could therefore set SolrParam.* headers 
to inject arbitrary Solr request parameters - including shards or stream.url, 
which cause the Solr server to issue server-side requests to an attacker-chosen 
URL (server-side request forgery, for example to an internal service or a cloud 
metadata endpoint), or qt to reach administrative request handlers - and set 
SolrField.* headers to inject arbitrary fields into indexed documents. No 
credentials are required when the bridging consumer is unauthenticated.
This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 
4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If 
users are on the 4.14.x LTS releases stream, then they are suggested to upgrade 
to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested 
to upgrade to 4.18.3. After upgrading, routes that set Solr parameters or 
fields via the raw header prefixes must use CamelSolrParam. / CamelSolrField. 
instead of SolrParam. / SolrField.. For deployments that cannot upgrade 
immediately, strip the SolrParam.* and SolrField.* headers from any untrusted 
ingress before the solr: producer, and set the required Solr parameters and 
fields from a trusted source in the route.

Credit:

Yu Bao from Paypal (finder)
Andrea Cosentino (remediation developer)

References:

http://camel.apache.org/security/CVE-2026-48203.html
https://camel.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-48203

Reply via email to