This is an automated email from the ASF dual-hosted git repository. acosentino pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit 872d61c4bdbdcb958c4a15bde187ddd7c6aa17a0 Author: Andrea Cosentino <[email protected]> AuthorDate: Thu Mar 13 09:17:08 2025 +0100 Update CVE Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2025-27636.txt.asc | 16 ++++++++-------- content/security/CVE-2025-29891.md | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/content/security/CVE-2025-27636.txt.asc b/content/security/CVE-2025-27636.txt.asc index 3ee5834b..488a20aa 100644 --- a/content/security/CVE-2025-27636.txt.asc +++ b/content/security/CVE-2025-27636.txt.asc @@ -56,12 +56,12 @@ fixed: 3.22.4, 4.8.5 and 4.10.2 The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-21828 refers to the various commits that resolved the issue, and have more details. -----BEGIN PGP SIGNATURE----- -iQEzBAEBCAAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmfSlFQACgkQ406fOAL/ -QQCduAf/WsfhgIBqjwFwOeo1I6681/aIWC4Fc8OjgRbumgA1VWwtBGT6gwEoK302 -1FrVG+Xq9ykgC5+2rnwYTq0OUnPnHr4184/x46bW1g1POJsep6swEweQEnSugCr4 -64GLyuLc3ehksgx09t92DzISSEE2csy1f7CgMC8nUBxHZD1lY5Z9ETTfOKd7q24O -DoO48i9QYjXdSlccu96McU9vJDrflo/3hD7KyM8uu+BRPvcFVlRZgXvoXrF1gWuX -AYZ3ZMvOzghtwMojuEokbnOvkuCOmafhhpZ3X0ZXW5pOWc3gTFjwtZuS0+8kUqeB -q9sAGdvUW+eLqsGkBfBHvSLfJwm/ZQ== -=VR4Y +iQEzBAEBCAAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmfSlIEACgkQ406fOAL/ +QQCJ5ggApUZBHWtrwEKRBR02ni+Xm5h7aOOXnQIVzGyXwPBB1ZI0J5VOOIyePE64 +PC69UbGzqBxkYbURGqAiBJqfdpaISDkDD9zKWugIZG1DNtwg1VxqMA6/KJKQYt1g +AzKf1m1b9guCwuFQjqIh04bMXrKhu9bOPGqjuE9SwHK8SPQgYI1tkWEZjKjfyAlc +xZBZRP+VKpxOKwKOwHmVHSWZ0in8YshevmKw48p7g1BN7ACcA/rY9gYzJ7YRhkkb +RHzXIPEQ3PFWG6HAXYuSqUy+hi7hfVKdBWrdqW6+OTqcHtgR4ZPZmO7ZEoKUKxQE +8ryHjb5SRVw3BaS6nvvPEGzRhQbFRQ== +=X5cK -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2025-29891.md b/content/security/CVE-2025-29891.md index 4f8cc547..62d42c8a 100644 --- a/content/security/CVE-2025-29891.md +++ b/content/security/CVE-2025-29891.md @@ -7,7 +7,7 @@ type: security-advisory cve: CVE-2025-29891 severity: HIGH summary: "Camel Message Header Injection through request parameters" -description: "This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component. If you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Camel application that incorrectly get translated into head [...] +description: "This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component. If you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Camel application that get translated into headers. The hea [...] mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. Also, users could use removeHeaders EIP, to filter out anything like 'cAmel, cAMEL' etc, or in general everything not starting with 'Camel', 'camel' or 'org.apache.camel.'." credit: "This issue was discovered by Citi Cyber Security Operations and reported by Akamai Security Intelligence Group (SIG). This issue was discovered and reported by Mark Thorson of AT&T." affected: Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5. Apache Camel 3.10.0 before 3.22.4.
