This is an automated email from the ASF dual-hosted git repository. oscerd pushed a commit to branch security/CVE-2026-33453 in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit 728b34e8f7385e5121d24474b29ff67704f37c4d Author: Andrea Cosentino <[email protected]> AuthorDate: Wed May 6 10:23:59 2026 +0200 Add CVE-2026-33453 security advisory for camel-coap header injection HIGH-severity advisory for an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in the camel-coap component, allowing unauthenticated attackers to inject arbitrary Camel internal headers via CoAP URI query parameters and achieve remote code execution when routes forward to header-sensitive producers (e.g. camel-exec). Affected: 4.14.0 before 4.14.6, 4.15.0 before 4.18.1. Fixed in: 4.14.6, 4.18.1 and 4.19.0. Tracked in: CAMEL-23222. Reported by: Hyunwoo Kim (@v4bel). Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2026-33453.md | 17 +++++++++++++++++ content/security/CVE-2026-33453.txt.asc | 31 +++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/content/security/CVE-2026-33453.md b/content/security/CVE-2026-33453.md new file mode 100644 index 00000000..1677c933 --- /dev/null +++ b/content/security/CVE-2026-33453.md @@ -0,0 +1,17 @@ +--- +title: "Apache Camel Security Advisory - CVE-2026-33453" +date: 2026-05-06T09:00:00+02:00 +url: /security/CVE-2026-33453.html +draft: false +type: security-advisory +cve: CVE-2026-33453 +severity: HIGH +summary: "Apache Camel: Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Camel-Coap component." +description: "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP requests to header-sensitive producers (e.g. camel-exec). The camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any Head [...] +mitigation: "Users are recommended to upgrade to version 4.18.1, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. The 4.19.0 development release also contains the fix." +credit: "This issue was discovered by Hyunwoo Kim (@v4bel)" +affected: "From 4.14.0 before 4.14.6, from 4.15.0 before 4.18.1." +fixed: 4.14.6, 4.18.1 and 4.19.0 +--- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23222 refers to the various commits that resolved the issue, and have more details. diff --git a/content/security/CVE-2026-33453.txt.asc b/content/security/CVE-2026-33453.txt.asc new file mode 100644 index 00000000..e997a9d5 --- /dev/null +++ b/content/security/CVE-2026-33453.txt.asc @@ -0,0 +1,31 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +- --- +title: "Apache Camel Security Advisory - CVE-2026-33453" +date: 2026-05-06T09:00:00+02:00 +url: /security/CVE-2026-33453.html +draft: false +type: security-advisory +cve: CVE-2026-33453 +severity: HIGH +summary: "Apache Camel: Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Camel-Coap component." +description: "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP requests to header-sensitive producers (e.g. camel-exec). The camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any Head [...] +mitigation: "Users are recommended to upgrade to version 4.18.1, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. The 4.19.0 development release also contains the fix." +credit: "This issue was discovered by Hyunwoo Kim (@v4bel)" +affected: "From 4.14.0 before 4.14.6, from 4.15.0 before 4.18.1." +fixed: 4.14.6, 4.18.1 and 4.19.0 +- --- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23222 refers to the various commits that resolved the issue, and have more details. +-----BEGIN PGP SIGNATURE----- + +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmn6+WMACgkQ406fOAL/ +QQBAXwf/Ru6CDW6Y15NOXugMuaypmpGVkEfKO1GPq6Bcvx1SluynpwYphJpfrMSJ +/mnCz/iSgP3ZpfHtZNNXHwIE/X+wHS56arBJPqp2Hn5mrZtKj5OrTpVkZnYEht2M +mcmJG5OlVr6zJGwoMpO1jvNu7AJZD+iSPWY5xP+SsGDBnF400Z++Fz5EGMlqK91A +omQ/7+5ROlyGSVe8XsJ6SdwgiAijHnjcz5Enalu5q5k3a8Oe8WHx0mQ4UcvNlUiP +LqQXWfvRUsbeP9DRKND9TWQFM/uNCDayYYYEWcWCQrf6UrCM4zzlBWMOgfYcrMxh +4oVJMCuhqyRGcqlrFSZzI2HCIncqwA== +=wdJp +-----END PGP SIGNATURE-----
