This is an automated email from the ASF dual-hosted git repository. oscerd pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit df5c149f6885500a55814ec4039af1fcc97aeb59 Author: Andrea Cosentino <[email protected]> AuthorDate: Thu Jun 18 10:28:27 2026 +0200 Add CVE-2026-55993 (atmosphere-websocket) and CVE-2026-55994 (iggy) advisories Split the camel-atmosphere-websocket and camel-iggy consumers out of CVE-2026-46726 into their own advisories, since each now has a dedicated CVE id. All three share the same fix (CAMEL-23532, PR apache/camel#23285): inbound external parameters were mapped into the Exchange without a HeaderFilterStrategy, allowing Camel control-header injection (SSRF and secret disclosure when bridged to an HTTP producer). Atmosphere-websocket (from 4.0.0) is fixed in 4.14.8/4.18.3/4.21.0; iggy (intro [...] Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2026-46726.md | 2 +- content/security/CVE-2026-46726.txt.asc | 18 +++++++++--------- content/security/CVE-2026-55993.md | 17 +++++++++++++++++ content/security/CVE-2026-55993.txt.asc | 31 +++++++++++++++++++++++++++++++ content/security/CVE-2026-55994.md | 17 +++++++++++++++++ content/security/CVE-2026-55994.txt.asc | 31 +++++++++++++++++++++++++++++++ 6 files changed, 106 insertions(+), 10 deletions(-) diff --git a/content/security/CVE-2026-46726.md b/content/security/CVE-2026-46726.md index 21092240..38fd63af 100644 --- a/content/security/CVE-2026-46726.md +++ b/content/security/CVE-2026-46726.md @@ -14,4 +14,4 @@ affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 befo fixed: 4.14.8, 4.18.3 and 4.21.0 --- -The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23285 (commit 1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x (commit 88c43e3af36013585b5483c671950f30e5833a5f) and camel-4.14.x (commit 508fc15deca97ba373eb3881a00e220eab9ec428). The fix adds a dedicated HeaderFilterStrategy to each affected consumer - a [...] +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23285 (commit 1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x (commit 88c43e3af36013585b5483c671950f30e5833a5f) and camel-4.14.x (commit 508fc15deca97ba373eb3881a00e220eab9ec428). The fix adds a dedicated HeaderFilterStrategy to each affected consumer - a [...] diff --git a/content/security/CVE-2026-46726.txt.asc b/content/security/CVE-2026-46726.txt.asc index a57d5078..7749e26a 100644 --- a/content/security/CVE-2026-46726.txt.asc +++ b/content/security/CVE-2026-46726.txt.asc @@ -17,15 +17,15 @@ affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 befo fixed: 4.14.8, 4.18.3 and 4.21.0 - --- -The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23285 (commit 1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x (commit 88c43e3af36013585b5483c671950f30e5833a5f) and camel-4.14.x (commit 508fc15deca97ba373eb3881a00e220eab9ec428). The fix adds a dedicated HeaderFilterStrategy to each affected consumer - a [...] +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23285 (commit 1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x (commit 88c43e3af36013585b5483c671950f30e5833a5f) and camel-4.14.x (commit 508fc15deca97ba373eb3881a00e220eab9ec428). The fix adds a dedicated HeaderFilterStrategy to each affected consumer - a [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1kACgkQ406fOAL/ -QQAAogf+Ja+WDUdgK2lM9BATzOZedlWea2hr+L1xWoXLHwBbLU/0HAr9YgRAEk0D -4TFvTF0W6HxR7nXsCMZZTJOGtQcCfxzJtQlLRJJjotn3njVWqaCuLL+GvRDi5156 -VJnK7GcEqJeGttF9kLZSVlsqxBOqEBgnSUQtfvMQqqEt4Pc4SYYJWohaL934zCVa -i8CV+v2h4ozR11voFi88H+Exsg8ebk81IGwWOJAmEQAUOgU1WeOvvfdL5k4nRE+a -SAmEUphHkxzqFNx+z2WPsC3q1CDZl7CaxoB3skihL/ePw2K7pFC0SVs8CaaTQvKE -DM8A0nejClYGPBlG36wkI8Lk/SmXTQ== -=W9wM +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmozrAoACgkQ406fOAL/ +QQBrTAf/al2aZxYukhrMwEBny1REGyhlNf1o7IcWExkk1XgT6XAH2ZvFLRp8LuHm +nJvptZMY+0Y8pOaEfi0n45wkiuSNCc13zHrV8FAJrML4M2+Tb3wXl/MXLXrDJo34 +5E/fTkEh93jT/DIfYAp1oIT9Ma6pjH6MhAyJ7jyN8XveRgT/2urAE/ebxaWoKuWy +tvBaBD/2mOQfNKzBWTteFTN6PCyedyw86juERZUyIuN3fKtstEvIk7KUp2n9FC1Q +wawpMTCuN5m0BX0EcFgeijqmTD3FoUzd2d0M/k+2iF5xdE31FruTvjYKDSPjcaoF +d1FWV3kzOi6vEaZG4mKpXJvDJgq5DA== +=em6K -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-55993.md b/content/security/CVE-2026-55993.md new file mode 100644 index 00000000..a5365165 --- /dev/null +++ b/content/security/CVE-2026-55993.md @@ -0,0 +1,17 @@ +--- +title: "Apache Camel Security Advisory - CVE-2026-55993" +date: 2026-06-18T10:00:00+02:00 +url: /security/CVE-2026-55993.html +draft: false +type: security-advisory +cve: CVE-2026-55993 +severity: HIGH +summary: "Camel-Atmosphere-Websocket: The inbound consumer maps externally-supplied WebSocket query parameters into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secrets when bridged to an HTTP producer" +description: "The camel-atmosphere-websocket consumer mapped inbound WebSocket query parameters into the Camel Exchange header map without applying any HeaderFilterStrategy (WebsocketConsumer.sendEventNotification() iterates the query-string map collected in WebsocketConsumer.service() and copies each entry into the Exchange). Because nothing blocked the Camel header namespace, a client connecting to the WebSocket endpoint could set Camel-internal control headers - including CamelHttpUri [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes the consumer apply the HeaderFilterStrategy it already inherits from the HTTP/servlet stack, filtering the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel [...] +credit: "This issue was discovered by Kamalpreet Singh" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +--- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23285 (commit 1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x (commit 88c43e3af36013585b5483c671950f30e5833a5f) and camel-4.14.x (commit 508fc15deca97ba373eb3881a00e220eab9ec428). The fix makes the camel-atmosphere-websocket consumer apply the HeaderFilte [...] diff --git a/content/security/CVE-2026-55993.txt.asc b/content/security/CVE-2026-55993.txt.asc new file mode 100644 index 00000000..2c06795b --- /dev/null +++ b/content/security/CVE-2026-55993.txt.asc @@ -0,0 +1,31 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +- --- +title: "Apache Camel Security Advisory - CVE-2026-55993" +date: 2026-06-18T10:00:00+02:00 +url: /security/CVE-2026-55993.html +draft: false +type: security-advisory +cve: CVE-2026-55993 +severity: HIGH +summary: "Camel-Atmosphere-Websocket: The inbound consumer maps externally-supplied WebSocket query parameters into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secrets when bridged to an HTTP producer" +description: "The camel-atmosphere-websocket consumer mapped inbound WebSocket query parameters into the Camel Exchange header map without applying any HeaderFilterStrategy (WebsocketConsumer.sendEventNotification() iterates the query-string map collected in WebsocketConsumer.service() and copies each entry into the Exchange). Because nothing blocked the Camel header namespace, a client connecting to the WebSocket endpoint could set Camel-internal control headers - including CamelHttpUri [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes the consumer apply the HeaderFilterStrategy it already inherits from the HTTP/servlet stack, filtering the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel [...] +credit: "This issue was discovered by Kamalpreet Singh" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +- --- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23285 (commit 1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x (commit 88c43e3af36013585b5483c671950f30e5833a5f) and camel-4.14.x (commit 508fc15deca97ba373eb3881a00e220eab9ec428). The fix makes the camel-atmosphere-websocket consumer apply the HeaderFilte [...] +-----BEGIN PGP SIGNATURE----- + +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmozqzIACgkQ406fOAL/ +QQAuqgf/Z9FFKSFpkazbpYBQp7xYrE6lbzbnLKqAi6rj9IDf6gIbh9UbEsMlPHCX +WhznKQDDEVCL7XSskSdf45KFb8hzndD1D6hgDhygZvPkV8ngGqQEY4A+9AaQDQAR +fI+lHCQwCNtEJVVSN7nBQb5PIKcsvBFMRZPTxsSoGrgEFcgeXYIpKuC4OWyQ46ou +rmal9QKAyGUgs+wl1WbHG+3Bo3jTqgI4hSe10WK9/0aKXbuRWXExmL7yHScDM+5+ +GT1YkkF4E6FfMfnmzT9UEjMDVFN+WC1MrrurXxQI43LwJJGaWGtvaX2JZWKeZUB9 +ApJPogJ7BDgFUR1yJebOK7le6XvJXA== +=1GAV +-----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-55994.md b/content/security/CVE-2026-55994.md new file mode 100644 index 00000000..a41b6aff --- /dev/null +++ b/content/security/CVE-2026-55994.md @@ -0,0 +1,17 @@ +--- +title: "Apache Camel Security Advisory - CVE-2026-55994" +date: 2026-06-18T10:00:00+02:00 +url: /security/CVE-2026-55994.html +draft: false +type: security-advisory +cve: CVE-2026-55994 +severity: HIGH +summary: "Camel-Iggy: The inbound consumer maps externally-supplied Iggy message user-headers into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secrets when bridged to an HTTP producer" +description: "The camel-iggy consumer mapped the user-headers of inbound Iggy messages into the Camel Exchange header map without applying any HeaderFilterStrategy (IggyFetchRecords copied the message user-headers straight into the Exchange). Because nothing blocked the Camel header namespace, an actor able to publish to the consumed Iggy stream/topic could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as message user-headers. [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix adds a dedicated IggyHeaderFilterStrategy (and a headerFilterStrategy endpoint option) that filters the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, stri [...] +credit: "This issue was discovered by Kamalpreet Singh" +affected: "From 4.17.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.18.3 and 4.21.0 +--- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23285 (commit 1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x (commit 88c43e3af36013585b5483c671950f30e5833a5f). The fix adds a dedicated IggyHeaderFilterStrategy and a headerFilterStrategy endpoint option to camel-iggy, filtering the Camel header namespa [...] diff --git a/content/security/CVE-2026-55994.txt.asc b/content/security/CVE-2026-55994.txt.asc new file mode 100644 index 00000000..057edffb --- /dev/null +++ b/content/security/CVE-2026-55994.txt.asc @@ -0,0 +1,31 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +- --- +title: "Apache Camel Security Advisory - CVE-2026-55994" +date: 2026-06-18T10:00:00+02:00 +url: /security/CVE-2026-55994.html +draft: false +type: security-advisory +cve: CVE-2026-55994 +severity: HIGH +summary: "Camel-Iggy: The inbound consumer maps externally-supplied Iggy message user-headers into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secrets when bridged to an HTTP producer" +description: "The camel-iggy consumer mapped the user-headers of inbound Iggy messages into the Camel Exchange header map without applying any HeaderFilterStrategy (IggyFetchRecords copied the message user-headers straight into the Exchange). Because nothing blocked the Camel header namespace, an actor able to publish to the consumed Iggy stream/topic could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as message user-headers. [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix adds a dedicated IggyHeaderFilterStrategy (and a headerFilterStrategy endpoint option) that filters the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, stri [...] +credit: "This issue was discovered by Kamalpreet Singh" +affected: "From 4.17.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.18.3 and 4.21.0 +- --- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23285 (commit 1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x (commit 88c43e3af36013585b5483c671950f30e5833a5f). The fix adds a dedicated IggyHeaderFilterStrategy and a headerFilterStrategy endpoint option to camel-iggy, filtering the Camel header namespa [...] +-----BEGIN PGP SIGNATURE----- + +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmozq0gACgkQ406fOAL/ +QQAnEQf9HGhvWhoX89P3xrVIDYEF4TUo//KqPX9esClVKLLEPjJ33RxJieWMh5G4 +TaTzUPtkF0AP/OdP2Z0lxZ02o237XUlZ+CneFbc50zC3x4HZzI4X8/q3FVwdmssg +Z89c+3fgipjzQq3II7FedypFNe4KjN7LTXb5NdUPVrIbsin6/jrMbWW8MgH5yK7Z +10x8O5R8Aq1sRDt09Axt2D1iBxsISHlMMzGVZdkahbgh8tQz7gxiy1/KNcMwKPiM +iQqNoWNhvOB2+8JSkuOflYvHIxn9Uck8aroU0vwTdduL8nwTMz5Tj12VhBV1jrlE +PExLeZO998JIte9K0U9lbxb7sn1avQ== +=lPIw +-----END PGP SIGNATURE-----
