This is an automated email from the ASF dual-hosted git repository.

oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git

commit e25ac7c785664ae745680b3ce6cf3b3d0fd3f98a
Author: Andrea Cosentino <[email protected]>
AuthorDate: Mon Jun 15 12:27:05 2026 +0200

    Added CVE-2026-42527
    
    Signed-off-by: Andrea Cosentino <[email protected]>
---
 content/security/CVE-2026-42527.md      | 19 +++++++++++++++++++
 content/security/CVE-2026-42527.txt.asc | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)

diff --git a/content/security/CVE-2026-42527.md 
b/content/security/CVE-2026-42527.md
new file mode 100644
index 00000000..e56f0dde
--- /dev/null
+++ b/content/security/CVE-2026-42527.md
@@ -0,0 +1,19 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-42527"
+date: 2026-04-29T10:00:00+02:00
+url: /security/CVE-2026-42527.html
+draft: false
+type: security-advisory
+cve: CVE-2026-42527
+severity: MEDIUM
+summary: "Permissive default ObjectInputFilter pattern admits java.net.** and 
enables DNS-based information disclosure"
+description: "The default ObjectInputFilter pattern shipped with several 
Apache Camel components for defense-in-depth deserialization filtering 
('java.**;javax.**;org.apache.camel.**;!*', or the no-'javax.**' variant in the 
aggregation-repository components) uses a recursive 'java.**' glob that admits 
classes whose hashCode/equals/readObject methods perform network I/O, notably 
java.net.URL and java.net.InetAddress. When an attacker can deliver a 
Java-serialized payload to an affected Ca [...]
+mitigation: "Users are recommended to upgrade to a version that contains the 
CAMEL-23372 fix once available: 4.21.0 for the 4.21.x line, 4.18.3 for the 
4.18.x line, and 4.14.8 for the 4.14.x line. For deployments that cannot 
upgrade immediately, configure a JMS-provider-side allow-list (Apache ActiveMQ 
Artemis 'deserializationAllowList' / 'deserializationDenyList', Apache ActiveMQ 
Classic 'org.apache.activemq.SERIALIZABLE_PACKAGES') as the primary mitigation, 
and/or override the in-code  [...]
+credit: "This vulnerability was reported by Venkatraman Kumar from Securin and 
Yu Bao from Paypal"
+affected: "Apache Camel 4.14.0 through 4.14.7 (4.14.x line). Apache Camel 
4.18.0 through 4.18.2 (4.18.x line). Apache Camel 4.20.0."
+fixed: "4.14.8, 4.18.3, 4.21.0."
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23372 refers to 
the commits that resolved the issue, and has more details.
+
+The defective default deserialization filter was introduced by the 
CAMEL-23297, CAMEL-23319, CAMEL-23321, CAMEL-23322, and CAMEL-23324 hardening 
series. The fix was merged on main in 
https://github.com/apache/camel/pull/22801 (commit 
1b60801edf9864465db7abf391539ee425a53e2c). Backports are tracked in 
https://github.com/apache/camel/pull/22813 (camel-4.18.x) and 
https://github.com/apache/camel/pull/22815 (camel-4.14.x).
diff --git a/content/security/CVE-2026-42527.txt.asc 
b/content/security/CVE-2026-42527.txt.asc
new file mode 100644
index 00000000..3fcfc109
--- /dev/null
+++ b/content/security/CVE-2026-42527.txt.asc
@@ -0,0 +1,33 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-42527"
+date: 2026-04-29T10:00:00+02:00
+url: /security/CVE-2026-42527.html
+draft: false
+type: security-advisory
+cve: CVE-2026-42527
+severity: MEDIUM
+summary: "Permissive default ObjectInputFilter pattern admits java.net.** and 
enables DNS-based information disclosure"
+description: "The default ObjectInputFilter pattern shipped with several 
Apache Camel components for defense-in-depth deserialization filtering 
('java.**;javax.**;org.apache.camel.**;!*', or the no-'javax.**' variant in the 
aggregation-repository components) uses a recursive 'java.**' glob that admits 
classes whose hashCode/equals/readObject methods perform network I/O, notably 
java.net.URL and java.net.InetAddress. When an attacker can deliver a 
Java-serialized payload to an affected Ca [...]
+mitigation: "Users are recommended to upgrade to a version that contains the 
CAMEL-23372 fix once available: 4.21.0 for the 4.21.x line, 4.18.3 for the 
4.18.x line, and 4.14.8 for the 4.14.x line. For deployments that cannot 
upgrade immediately, configure a JMS-provider-side allow-list (Apache ActiveMQ 
Artemis 'deserializationAllowList' / 'deserializationDenyList', Apache ActiveMQ 
Classic 'org.apache.activemq.SERIALIZABLE_PACKAGES') as the primary mitigation, 
and/or override the in-code  [...]
+credit: "This vulnerability was reported by Venkatraman Kumar from Securin and 
Yu Bao from Paypal"
+affected: "Apache Camel 4.14.0 through 4.14.7 (4.14.x line). Apache Camel 
4.18.0 through 4.18.2 (4.18.x line). Apache Camel 4.20.0."
+fixed: "4.14.8, 4.18.3, 4.21.0."
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23372 refers to 
the commits that resolved the issue, and has more details.
+
+The defective default deserialization filter was introduced by the 
CAMEL-23297, CAMEL-23319, CAMEL-23321, CAMEL-23322, and CAMEL-23324 hardening 
series. The fix was merged on main in 
https://github.com/apache/camel/pull/22801 (commit 
1b60801edf9864465db7abf391539ee425a53e2c). Backports are tracked in 
https://github.com/apache/camel/pull/22813 (camel-4.18.x) and 
https://github.com/apache/camel/pull/22815 (camel-4.14.x).
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovy8AACgkQ406fOAL/
+QQATAgf+KdLIL11FnB26cqHefC0vLJEF2FZpkaWrdGwJE35DRhcTeKZJEGOsifww
+yUuV3J8eM8mR+Iy+2QDPs/ucOYLWXum6Wrtn4pkqU4Z391hOtsQm0Y3ojMVNTuxe
+qr1CDxSK5fhF2t0OVY48Iekqfq9tfF5tgwgCKUS5P3JTjD1i+MDHv7tUQSl8f0T1
+eBcFx2sBx2GZnApSaK2GnMN2p3LrCYDH0cZGyT1As2BiQ/cbprf1KjuRs75MTAy0
+UNyMUJc9UsBTvlJc/vIdGZNw7rLdewfr9j2Dl74kYpX9FEDYMqt0K8oxURDec1AN
+A7VpSqo3LFVbDdzURHzjp468Qctszg==
+=3RgU
+-----END PGP SIGNATURE-----

Reply via email to