This is an automated email from the ASF dual-hosted git repository. oscerd pushed a commit to branch 2026-47323 in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit 16313cdf0e8846ab784e7a83ef10e9206647e38f Author: Andrea Cosentino <[email protected]> AuthorDate: Tue May 19 11:22:29 2026 +0200 Added CVE-2026-47323 Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2026-47323.md | 17 +++++++++++++++++ content/security/CVE-2026-47323.txt.asc | 31 +++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/content/security/CVE-2026-47323.md b/content/security/CVE-2026-47323.md new file mode 100644 index 00000000..e7f73be7 --- /dev/null +++ b/content/security/CVE-2026-47323.md @@ -0,0 +1,17 @@ +--- +title: "Apache Camel Security Advisory - CVE-2026-47323" +date: 2026-05-18T09:00:00+02:00 +url: /security/CVE-2026-47323.html +draft: false +type: security-advisory +cve: CVE-2026-47323 +severity: MEDIUM +summary: "Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering" +description: "The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith. As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via H [...] +mitigation: "Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.2. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6." +credit: "This issue was discovered by Quac Tran" +affected: from 3.18.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.19.0 +fixed: 4.14.6, 4.18.2 and 4.19.0 +--- + +This CVE is related to CVE-2025-27636, CVE-2025-29891, CVE-2025-30177, and CVE-2026-40453. diff --git a/content/security/CVE-2026-47323.txt.asc b/content/security/CVE-2026-47323.txt.asc new file mode 100644 index 00000000..34e022f4 --- /dev/null +++ b/content/security/CVE-2026-47323.txt.asc @@ -0,0 +1,31 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +- --- +title: "Apache Camel Security Advisory - CVE-2026-47323" +date: 2026-05-18T09:00:00+02:00 +url: /security/CVE-2026-47323.html +draft: false +type: security-advisory +cve: CVE-2026-47323 +severity: MEDIUM +summary: "Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering" +description: "The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith. As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via H [...] +mitigation: "Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.2. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6." +credit: "This issue was discovered by Quac Tran" +affected: from 3.18.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.19.0 +fixed: 4.14.6, 4.18.2 and 4.19.0 +- --- + +This CVE is related to CVE-2025-27636, CVE-2025-29891, CVE-2025-30177, and CVE-2026-40453. +-----BEGIN PGP SIGNATURE----- + +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoMK5gACgkQ406fOAL/ +QQDj/AgAhITvNOl8dOg/h1h2pMiGWlCZTWm91xJN8sPke4UeH2eQMz8Ihp60uw9S +c57BrnJS4sSGqk05MHg42qE1Lcsbt9aLswUSbha7d1LmjsKNy196F9lFaYYgdYFS +rIB/tXhMje+4foo87Y7FQc7E8mcUewb5spNIDIXpHBH8QDG3XJ37hnCwIVxCGSyt +WO6fDTi0b5keBw/dZPiUzFbMXpK15/KdpGL/HDityqvylIVB6RYZKwi7AuunPXgn +GiURkNjJK0H9jwC68N3KzVjMlJlrOquc3CpYSpNypIkda+0xzMrZ36Fm6LM5G2av +WMEAeOuZoXzhWGmSawlXm8YyO6++jg== +=tRFR +-----END PGP SIGNATURE-----
