This is an automated email from the ASF dual-hosted git repository. oscerd pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit 84679ba165ff4be32d5178819f71fbaa1823e5a7 Author: Andrea Cosentino <[email protected]> AuthorDate: Mon Jun 15 12:27:07 2026 +0200 Added CVE-2026-49365 Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2026-49365.md | 17 +++++++++++++++++ content/security/CVE-2026-49365.txt.asc | 31 +++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/content/security/CVE-2026-49365.md b/content/security/CVE-2026-49365.md new file mode 100644 index 00000000..7ba889c8 --- /dev/null +++ b/content/security/CVE-2026-49365.md @@ -0,0 +1,17 @@ +--- +title: "Apache Camel Security Advisory - CVE-2026-49365" +date: 2026-06-11T10:00:00+02:00 +url: /security/CVE-2026-49365.html +draft: false +type: security-advisory +cve: CVE-2026-49365 +severity: MEDIUM +summary: "Apache Camel: Camel-Netty-HTTP and Camel-Undertow: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients" +description: "The camel-netty-http and camel-undertow HTTP server consumers expose a muteException option that controls what is returned to the client when a route processing error occurs. In both components this option defaulted to false - in camel-netty-http because the backing field was an uninitialised primitive boolean (Java's default of false), and in camel-undertow likewise - whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platfor [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-netty-http and camel-undertow consumers (for example netty-http:http://0.0.0.0:8080/api?muteException=true, or globally via [...] +credit: "This issue was discovered by Yu Bao from PayPal" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +--- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23651 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23913 (commit 6cea553aa42ed1326ac57ad800d66674bc453932) and backported to camel-4.18.x (commit 1bd7389bd244da719404cf66d5b3676d41498bec) and camel-4.14.x (commit d3a13956ad2fd7280ad3ab678d79caf3bd0b4661). The fix aligns the muteException consumer-option default in camel-netty-htt [...] diff --git a/content/security/CVE-2026-49365.txt.asc b/content/security/CVE-2026-49365.txt.asc new file mode 100644 index 00000000..871599de --- /dev/null +++ b/content/security/CVE-2026-49365.txt.asc @@ -0,0 +1,31 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +- --- +title: "Apache Camel Security Advisory - CVE-2026-49365" +date: 2026-06-11T10:00:00+02:00 +url: /security/CVE-2026-49365.html +draft: false +type: security-advisory +cve: CVE-2026-49365 +severity: MEDIUM +summary: "Apache Camel: Camel-Netty-HTTP and Camel-Undertow: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients" +description: "The camel-netty-http and camel-undertow HTTP server consumers expose a muteException option that controls what is returned to the client when a route processing error occurs. In both components this option defaulted to false - in camel-netty-http because the backing field was an uninitialised primitive boolean (Java's default of false), and in camel-undertow likewise - whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platfor [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-netty-http and camel-undertow consumers (for example netty-http:http://0.0.0.0:8080/api?muteException=true, or globally via [...] +credit: "This issue was discovered by Yu Bao from PayPal" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +- --- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23651 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23913 (commit 6cea553aa42ed1326ac57ad800d66674bc453932) and backported to camel-4.18.x (commit 1bd7389bd244da719404cf66d5b3676d41498bec) and camel-4.14.x (commit d3a13956ad2fd7280ad3ab678d79caf3bd0b4661). The fix aligns the muteException consumer-option default in camel-netty-htt [...] +-----BEGIN PGP SIGNATURE----- + +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0oACgkQ406fOAL/ +QQAmrAgAlj+tDSZ4/gtiIW41O31rLAvgMJ0U0hVefE354YUob/ca1mNkk35EEsAk +KdhXYXNTmN0ux4TIA5KvTCfGR4kp0jCBjShM4xOKZKNrSXWFoHoiUk/jn1CkYP8n ++JpIlc+33wqzCyWAkvgpJdfQdcaEeYoMP7WecWeX3hdF+QhvOr8veZXaDw2aMqug +uDRoUiWuzHHQjPts/nU2YnDGg2wGutXS+NakFbxbiKD21mM0nXRBeipJ21lq5eZ8 +vb1s8jU0BFSlJPKjKTypQKZFVrssTnUmehbXwRh2192i7TxaxnlUVD7qvDjhxOL8 +ex6SFZqtL6S8hS/w/5q5CHL2Oo16TQ== +=9yZh +-----END PGP SIGNATURE-----
