This is an automated email from the ASF dual-hosted git repository. acosentino pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit 20b0a74aa33f12168f7cbd6fc78e28bd4adf42b3 Author: Andrea Cosentino <[email protected]> AuthorDate: Thu Mar 13 09:16:32 2025 +0100 Update CVE Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2025-27636.txt.asc | 16 ++++++++-------- content/security/CVE-2025-29891.md | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/content/security/CVE-2025-27636.txt.asc b/content/security/CVE-2025-27636.txt.asc index 9bd98316..3ee5834b 100644 --- a/content/security/CVE-2025-27636.txt.asc +++ b/content/security/CVE-2025-27636.txt.asc @@ -56,12 +56,12 @@ fixed: 3.22.4, 4.8.5 and 4.10.2 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-21828 refers to the various commits that resolved the issue, and have more details. -----BEGIN PGP SIGNATURE----- -iQEzBAEBCAAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmfPKdsACgkQ406fOAL/ -QQAowQgApMrMHcnk0VOdlYNDVhfzbuMeoOxPEEXUnMHb/Kg6pVH3NTDlwF/c1zsu -gNhe+zJRiFNQGpkdzJYgO4Z+6YtijPRZN/hWGjJ9SZ/N2PHGkUSEnPZO6hjKO1Sh -vjhUM4PIW677oOxoBp4e8JqnM4QSz/7oE9MToCzYqw53ojrRn5eo+tFUvG9XfYd2 -VCDnTN9Kj6ZC/URqjMiCROoeW0YGACLVLnzmJy8XQiSNI66dpwvke/i/TRxpswIP -uEgHqURILJZdtP0kYmEXHjjBAjfbgWyg/9NzjasiPUXWOi3vXUaIJ4g2b8w00mEK -wchO7hhpAVWa4pTe4ed4EctsvE0AYQ== -=j4xI +iQEzBAEBCAAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmfSlFQACgkQ406fOAL/ +QQCduAf/WsfhgIBqjwFwOeo1I6681/aIWC4Fc8OjgRbumgA1VWwtBGT6gwEoK302 +1FrVG+Xq9ykgC5+2rnwYTq0OUnPnHr4184/x46bW1g1POJsep6swEweQEnSugCr4 +64GLyuLc3ehksgx09t92DzISSEE2csy1f7CgMC8nUBxHZD1lY5Z9ETTfOKd7q24O +DoO48i9QYjXdSlccu96McU9vJDrflo/3hD7KyM8uu+BRPvcFVlRZgXvoXrF1gWuX +AYZ3ZMvOzghtwMojuEokbnOvkuCOmafhhpZ3X0ZXW5pOWc3gTFjwtZuS0+8kUqeB +q9sAGdvUW+eLqsGkBfBHvSLfJwm/ZQ== +=VR4Y -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2025-29891.md b/content/security/CVE-2025-29891.md index 2f4832fe..4f8cc547 100644 --- a/content/security/CVE-2025-29891.md +++ b/content/security/CVE-2025-29891.md @@ -9,7 +9,7 @@ severity: HIGH summary: "Camel Message Header Injection through request parameters" description: "This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component. If you have Camel applications that are directly connected to the internet via HTTP, then an attackerĀ could include parameters in the HTTP requests that are sent to the Camel application that incorrectly get translated into head [...] mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. Also, users could use removeHeaders EIP, to filter out anything like 'cAmel, cAMEL' etc, or in general everything not starting with 'Camel', 'camel' or 'org.apache.camel.'." -credit: "This issue was discovered by Citi Cyber Security Operations and reported by Akamai Security Intelligence Group (SIG)" +credit: "This issue was discovered by Citi Cyber Security Operations and reported by Akamai Security Intelligence Group (SIG). This issue was discovered and reported by Mark Thorson of AT&T." affected: Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5. Apache Camel 3.10.0 before 3.22.4. fixed: 3.22.4, 4.8.5 and 4.10.2 ---
