This is an automated email from the ASF dual-hosted git repository. oscerd pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit 89cbc85d0df92514303d0ef37eab2e2a77cb9f7e Author: Andrea Cosentino <[email protected]> AuthorDate: Fri Jun 19 12:13:32 2026 +0200 Add CVE-2026-56140 (camel-aws2-sns defense-in-depth hardening) CAMEL-23506 added an inbound Camel-namespace filter to Sns2HeaderFilterStrategy alongside the camel-aws2-sqs fix. camel-aws2-sns is producer-only (Sns2Endpoint.createConsumer throws UnsupportedOperationException), so there is no reachable inbound header-injection path; document this as a LOW-severity defense-in-depth hardening advisory rather than an exploitable vulnerability, cross-referencing the consumer-side camel-aws2-sqs issue CVE-2026-46456. Shares the same fix (PR apache/camel [...] Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2026-46456.md | 2 +- content/security/CVE-2026-46456.txt.asc | 18 +++++++++--------- content/security/CVE-2026-56140.md | 17 +++++++++++++++++ content/security/CVE-2026-56140.txt.asc | 31 +++++++++++++++++++++++++++++++ 4 files changed, 58 insertions(+), 10 deletions(-) diff --git a/content/security/CVE-2026-46456.md b/content/security/CVE-2026-46456.md index d1d5ac9f..cb22f1f2 100644 --- a/content/security/CVE-2026-46456.md +++ b/content/security/CVE-2026-46456.md @@ -14,4 +14,4 @@ affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 befo fixed: 4.14.8, 4.18.3 and 4.21.0 --- -The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23506 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23221 (commit 5f57258fb33d33ef99df10594f8fe9f11d7c2b7e) and backported to camel-4.18.x (commit 7b334be0419839097a132d4ff3427fc4083e695e) and camel-4.14.x (commit b7f78292e747a28dbf5da444265557b5f9f3c1a1). The issue is classified as CWE-20 (Improper Input Validation). It belongs t [...] +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23506 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23221 (commit 5f57258fb33d33ef99df10594f8fe9f11d7c2b7e) and backported to camel-4.18.x (commit 7b334be0419839097a132d4ff3427fc4083e695e) and camel-4.14.x (commit b7f78292e747a28dbf5da444265557b5f9f3c1a1). The issue is classified as CWE-20 (Improper Input Validation). It belongs t [...] diff --git a/content/security/CVE-2026-46456.txt.asc b/content/security/CVE-2026-46456.txt.asc index 0d678e39..a4337324 100644 --- a/content/security/CVE-2026-46456.txt.asc +++ b/content/security/CVE-2026-46456.txt.asc @@ -17,15 +17,15 @@ affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 befo fixed: 4.14.8, 4.18.3 and 4.21.0 - --- -The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23506 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23221 (commit 5f57258fb33d33ef99df10594f8fe9f11d7c2b7e) and backported to camel-4.18.x (commit 7b334be0419839097a132d4ff3427fc4083e695e) and camel-4.14.x (commit b7f78292e747a28dbf5da444265557b5f9f3c1a1). The issue is classified as CWE-20 (Improper Input Validation). It belongs t [...] +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23506 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23221 (commit 5f57258fb33d33ef99df10594f8fe9f11d7c2b7e) and backported to camel-4.18.x (commit 7b334be0419839097a132d4ff3427fc4083e695e) and camel-4.14.x (commit b7f78292e747a28dbf5da444265557b5f9f3c1a1). The issue is classified as CWE-20 (Improper Input Validation). It belongs t [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1gACgkQ406fOAL/ -QQCyvggAql9wHXpY/x2jlr01p999d4PwDHRN8mQhSR1eKA9FaZDPXttQcxtdTZNr -qgxzjhO1hI24NT2O7gdCj9HVN1NVbXreNOF31twq0kAYalyuzJ+/CZ2HSvj4RPh1 -SwTLvHP1WLBZ6TEj6yWIPFMOLvzsj+shqhLoESqReo0QE9grx4rIe4AqYpzpmkGW -qi9o9KmlnAmpa6oj0yIZQAexn1HSydy9PQ7XXisFB1AxvNBvmW1NlGIkLGdr+e9k -HWPUCgObroupRRiUN/T+YuSNQILIzZLTrgrstPplJcDyAHJokhHSlmim9v87ey6e -cJybqgoQuk4sf2/JPgWyizM4PvD/Xg== -=0BwF +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmo1FZQACgkQ406fOAL/ +QQA2GwgAtv+cPj7UTlFy4uI/exPy9K6PDkLgzvZJozUp1/WOZUnmu9DK/fVp2yHG +9gsET7HZ32I/PhRKL/eWqMzi2g30kYC4iDHzY7yexDDBTLR3WJD9uqZDd3gBveeC +z9WF4Iki8Kxn+T8zQEVVYouqaXDxxlJbowwz/1DpPfAdoGVnf1mgwYbxQkserpvl +CMmWCWYpcqeMwdwhym/FjgFT9dCf6Q8jqz3vFZUYFdCeEBFoib++OY3I7uBOaUW5 +U4ACPZtNFjp+5VmfVDIq0A7E8vUIh9xAr+UDKW5hNdZOuwCfRqgy1KNNUhv1SKda +KGG4goSkEYuN/xrGzukDUiQGVAj8mA== +=de39 -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-56140.md b/content/security/CVE-2026-56140.md new file mode 100644 index 00000000..cb4c6016 --- /dev/null +++ b/content/security/CVE-2026-56140.md @@ -0,0 +1,17 @@ +--- +title: "Apache Camel Security Advisory - CVE-2026-56140" +date: 2026-06-18T10:00:00+02:00 +url: /security/CVE-2026-56140.html +draft: false +type: security-advisory +cve: CVE-2026-56140 +severity: LOW +summary: "Camel-AWS2-SNS: An inbound Camel-namespace filter was added to Sns2HeaderFilterStrategy to align it with sibling components; because camel-aws2-sns is producer-only (no consumer) there is no reachable inbound header-injection path, so this is a defense-in-depth hardening change related to the camel-aws2-sqs issue CVE-2026-46456" +description: "The camel-aws2-sns component filters Camel headers through a component-specific HeaderFilterStrategy, Sns2HeaderFilterStrategy. Like the sibling Sqs2HeaderFilterStrategy, it originally configured only an outbound filter (setOutFilterPattern, which blocks Camel*, breadcrumbId and org.apache.camel.* headers from being written out) and did not configure an inbound filter rule. For the related camel-aws2-sqs component this inbound gap was exploitable, because the Sqs2Consumer m [...] +mitigation: "This is a defense-in-depth hardening change with no known exploit path in camel-aws2-sns, which is producer-only, so no urgent action or workaround is required. Users who want the aligned behaviour can upgrade to version 4.21.0, or to 4.14.8 on the 4.14.x LTS releases stream, or to 4.18.3 on the 4.18.x releases stream, which contain the change. As a general best practice, operators should continue to apply least-privilege IAM permissions on their SNS topics." +credit: "This issue was reported by Yu Bao from PayPal, alongside the related camel-aws2-sqs issue (CVE-2026-46456)" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +--- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23506 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23221 (commit 5f57258fb33d33ef99df10594f8fe9f11d7c2b7e) and backported to camel-4.18.x (commit 7b334be0419839097a132d4ff3427fc4083e695e) and camel-4.14.x (commit b7f78292e747a28dbf5da444265557b5f9f3c1a1). The change adds setInFilterStartsWith for the Camel namespace to Sns2Header [...] diff --git a/content/security/CVE-2026-56140.txt.asc b/content/security/CVE-2026-56140.txt.asc new file mode 100644 index 00000000..536a8353 --- /dev/null +++ b/content/security/CVE-2026-56140.txt.asc @@ -0,0 +1,31 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +- --- +title: "Apache Camel Security Advisory - CVE-2026-56140" +date: 2026-06-18T10:00:00+02:00 +url: /security/CVE-2026-56140.html +draft: false +type: security-advisory +cve: CVE-2026-56140 +severity: LOW +summary: "Camel-AWS2-SNS: An inbound Camel-namespace filter was added to Sns2HeaderFilterStrategy to align it with sibling components; because camel-aws2-sns is producer-only (no consumer) there is no reachable inbound header-injection path, so this is a defense-in-depth hardening change related to the camel-aws2-sqs issue CVE-2026-46456" +description: "The camel-aws2-sns component filters Camel headers through a component-specific HeaderFilterStrategy, Sns2HeaderFilterStrategy. Like the sibling Sqs2HeaderFilterStrategy, it originally configured only an outbound filter (setOutFilterPattern, which blocks Camel*, breadcrumbId and org.apache.camel.* headers from being written out) and did not configure an inbound filter rule. For the related camel-aws2-sqs component this inbound gap was exploitable, because the Sqs2Consumer m [...] +mitigation: "This is a defense-in-depth hardening change with no known exploit path in camel-aws2-sns, which is producer-only, so no urgent action or workaround is required. Users who want the aligned behaviour can upgrade to version 4.21.0, or to 4.14.8 on the 4.14.x LTS releases stream, or to 4.18.3 on the 4.18.x releases stream, which contain the change. As a general best practice, operators should continue to apply least-privilege IAM permissions on their SNS topics." +credit: "This issue was reported by Yu Bao from PayPal, alongside the related camel-aws2-sqs issue (CVE-2026-46456)" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +- --- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23506 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23221 (commit 5f57258fb33d33ef99df10594f8fe9f11d7c2b7e) and backported to camel-4.18.x (commit 7b334be0419839097a132d4ff3427fc4083e695e) and camel-4.14.x (commit b7f78292e747a28dbf5da444265557b5f9f3c1a1). The change adds setInFilterStartsWith for the Camel namespace to Sns2Header [...] +-----BEGIN PGP SIGNATURE----- + +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmo1FZQACgkQ406fOAL/ +QQAxeAf+N04am8wKY2AE7xhjf4wNeC2K151K+sbZIVbeCBK9TgH1A/MkHMFn/d6X +2XM6GaIkfzipkX4WUZ8IG8vD0YgR76GSv3FUKhG0lxamLcr6xiUNCxWxKeKerdqn +r4kC6kG7c/o2pE4lyYV37o/7b1iNQ6LdpQAtv6C+jufVHLP10Q45pkn6dBFaNeHF +f2cWjttdz+B4UvD2W8KJK3K0hUfWbzCNHuETqfrYiP1qIv4EwWipKy292HLmJBmZ +XC4mHMvg56b8zF/yfi0aUCGB5u8IqdcSvKW6YzJmsT8rf+9gKFHKuXPcVlZHpoZ/ +LZIDXeNRx5KK1tHJwcGRISTDr25ung== +=Ghkm +-----END PGP SIGNATURE-----
