This is an automated email from the ASF dual-hosted git repository.

oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git

commit df5c149f6885500a55814ec4039af1fcc97aeb59
Author: Andrea Cosentino <[email protected]>
AuthorDate: Thu Jun 18 10:28:27 2026 +0200

    Add CVE-2026-55993 (atmosphere-websocket) and CVE-2026-55994 (iggy) 
advisories
    
    Split the camel-atmosphere-websocket and camel-iggy consumers out of 
CVE-2026-46726 into their own advisories, since each now has a dedicated CVE 
id. All three share the same fix (CAMEL-23532, PR apache/camel#23285): inbound 
external parameters were mapped into the Exchange without a 
HeaderFilterStrategy, allowing Camel control-header injection (SSRF and secret 
disclosure when bridged to an HTTP producer). Atmosphere-websocket (from 4.0.0) 
is fixed in 4.14.8/4.18.3/4.21.0; iggy (intro [...]
    
    Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
    Signed-off-by: Andrea Cosentino <[email protected]>
---
 content/security/CVE-2026-46726.md      |  2 +-
 content/security/CVE-2026-46726.txt.asc | 18 +++++++++---------
 content/security/CVE-2026-55993.md      | 17 +++++++++++++++++
 content/security/CVE-2026-55993.txt.asc | 31 +++++++++++++++++++++++++++++++
 content/security/CVE-2026-55994.md      | 17 +++++++++++++++++
 content/security/CVE-2026-55994.txt.asc | 31 +++++++++++++++++++++++++++++++
 6 files changed, 106 insertions(+), 10 deletions(-)

diff --git a/content/security/CVE-2026-46726.md 
b/content/security/CVE-2026-46726.md
index 21092240..38fd63af 100644
--- a/content/security/CVE-2026-46726.md
+++ b/content/security/CVE-2026-46726.md
@@ -14,4 +14,4 @@ affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 
4.18.3, from 4.19.0 befo
 fixed: 4.14.8, 4.18.3 and 4.21.0
 ---
 
-The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23285 (commit 
1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x 
(commit 88c43e3af36013585b5483c671950f30e5833a5f) and camel-4.14.x (commit 
508fc15deca97ba373eb3881a00e220eab9ec428). The fix adds a dedicated 
HeaderFilterStrategy to each affected consumer - a [...]
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23285 (commit 
1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x 
(commit 88c43e3af36013585b5483c671950f30e5833a5f) and camel-4.14.x (commit 
508fc15deca97ba373eb3881a00e220eab9ec428). The fix adds a dedicated 
HeaderFilterStrategy to each affected consumer - a [...]
diff --git a/content/security/CVE-2026-46726.txt.asc 
b/content/security/CVE-2026-46726.txt.asc
index a57d5078..7749e26a 100644
--- a/content/security/CVE-2026-46726.txt.asc
+++ b/content/security/CVE-2026-46726.txt.asc
@@ -17,15 +17,15 @@ affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 
4.18.3, from 4.19.0 befo
 fixed: 4.14.8, 4.18.3 and 4.21.0
 - ---
 
-The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23285 (commit 
1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x 
(commit 88c43e3af36013585b5483c671950f30e5833a5f) and camel-4.14.x (commit 
508fc15deca97ba373eb3881a00e220eab9ec428). The fix adds a dedicated 
HeaderFilterStrategy to each affected consumer - a [...]
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23285 (commit 
1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x 
(commit 88c43e3af36013585b5483c671950f30e5833a5f) and camel-4.14.x (commit 
508fc15deca97ba373eb3881a00e220eab9ec428). The fix adds a dedicated 
HeaderFilterStrategy to each affected consumer - a [...]
 -----BEGIN PGP SIGNATURE-----
 
-iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1kACgkQ406fOAL/
-QQAAogf+Ja+WDUdgK2lM9BATzOZedlWea2hr+L1xWoXLHwBbLU/0HAr9YgRAEk0D
-4TFvTF0W6HxR7nXsCMZZTJOGtQcCfxzJtQlLRJJjotn3njVWqaCuLL+GvRDi5156
-VJnK7GcEqJeGttF9kLZSVlsqxBOqEBgnSUQtfvMQqqEt4Pc4SYYJWohaL934zCVa
-i8CV+v2h4ozR11voFi88H+Exsg8ebk81IGwWOJAmEQAUOgU1WeOvvfdL5k4nRE+a
-SAmEUphHkxzqFNx+z2WPsC3q1CDZl7CaxoB3skihL/ePw2K7pFC0SVs8CaaTQvKE
-DM8A0nejClYGPBlG36wkI8Lk/SmXTQ==
-=W9wM
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmozrAoACgkQ406fOAL/
+QQBrTAf/al2aZxYukhrMwEBny1REGyhlNf1o7IcWExkk1XgT6XAH2ZvFLRp8LuHm
+nJvptZMY+0Y8pOaEfi0n45wkiuSNCc13zHrV8FAJrML4M2+Tb3wXl/MXLXrDJo34
+5E/fTkEh93jT/DIfYAp1oIT9Ma6pjH6MhAyJ7jyN8XveRgT/2urAE/ebxaWoKuWy
+tvBaBD/2mOQfNKzBWTteFTN6PCyedyw86juERZUyIuN3fKtstEvIk7KUp2n9FC1Q
+wawpMTCuN5m0BX0EcFgeijqmTD3FoUzd2d0M/k+2iF5xdE31FruTvjYKDSPjcaoF
+d1FWV3kzOi6vEaZG4mKpXJvDJgq5DA==
+=em6K
 -----END PGP SIGNATURE-----
diff --git a/content/security/CVE-2026-55993.md 
b/content/security/CVE-2026-55993.md
new file mode 100644
index 00000000..a5365165
--- /dev/null
+++ b/content/security/CVE-2026-55993.md
@@ -0,0 +1,17 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-55993"
+date: 2026-06-18T10:00:00+02:00
+url: /security/CVE-2026-55993.html
+draft: false
+type: security-advisory
+cve: CVE-2026-55993
+severity: HIGH
+summary: "Camel-Atmosphere-Websocket: The inbound consumer maps 
externally-supplied WebSocket query parameters into the Exchange without a 
HeaderFilterStrategy, allowing injection of Camel control headers - enabling 
server-side request forgery and disclosure of secrets when bridged to an HTTP 
producer"
+description: "The camel-atmosphere-websocket consumer mapped inbound WebSocket 
query parameters into the Camel Exchange header map without applying any 
HeaderFilterStrategy (WebsocketConsumer.sendEventNotification() iterates the 
query-string map collected in WebsocketConsumer.service() and copies each entry 
into the Exchange). Because nothing blocked the Camel header namespace, a 
client connecting to the WebSocket endpoint could set Camel-internal control 
headers - including CamelHttpUri [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. The fix makes the consumer apply 
the HeaderFilterStrategy it already inherits from the HTTP/servlet stack, 
filtering the Camel header namespace case-insensitively on inbound mapping, so 
externally-supplied Camel* / camel [...]
+credit: "This issue was discovered by Kamalpreet Singh"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23285 (commit 
1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x 
(commit 88c43e3af36013585b5483c671950f30e5833a5f) and camel-4.14.x (commit 
508fc15deca97ba373eb3881a00e220eab9ec428). The fix makes the 
camel-atmosphere-websocket consumer apply the HeaderFilte [...]
diff --git a/content/security/CVE-2026-55993.txt.asc 
b/content/security/CVE-2026-55993.txt.asc
new file mode 100644
index 00000000..2c06795b
--- /dev/null
+++ b/content/security/CVE-2026-55993.txt.asc
@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-55993"
+date: 2026-06-18T10:00:00+02:00
+url: /security/CVE-2026-55993.html
+draft: false
+type: security-advisory
+cve: CVE-2026-55993
+severity: HIGH
+summary: "Camel-Atmosphere-Websocket: The inbound consumer maps 
externally-supplied WebSocket query parameters into the Exchange without a 
HeaderFilterStrategy, allowing injection of Camel control headers - enabling 
server-side request forgery and disclosure of secrets when bridged to an HTTP 
producer"
+description: "The camel-atmosphere-websocket consumer mapped inbound WebSocket 
query parameters into the Camel Exchange header map without applying any 
HeaderFilterStrategy (WebsocketConsumer.sendEventNotification() iterates the 
query-string map collected in WebsocketConsumer.service() and copies each entry 
into the Exchange). Because nothing blocked the Camel header namespace, a 
client connecting to the WebSocket endpoint could set Camel-internal control 
headers - including CamelHttpUri [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. The fix makes the consumer apply 
the HeaderFilterStrategy it already inherits from the HTTP/servlet stack, 
filtering the Camel header namespace case-insensitively on inbound mapping, so 
externally-supplied Camel* / camel [...]
+credit: "This issue was discovered by Kamalpreet Singh"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23285 (commit 
1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x 
(commit 88c43e3af36013585b5483c671950f30e5833a5f) and camel-4.14.x (commit 
508fc15deca97ba373eb3881a00e220eab9ec428). The fix makes the 
camel-atmosphere-websocket consumer apply the HeaderFilte [...]
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmozqzIACgkQ406fOAL/
+QQAuqgf/Z9FFKSFpkazbpYBQp7xYrE6lbzbnLKqAi6rj9IDf6gIbh9UbEsMlPHCX
+WhznKQDDEVCL7XSskSdf45KFb8hzndD1D6hgDhygZvPkV8ngGqQEY4A+9AaQDQAR
+fI+lHCQwCNtEJVVSN7nBQb5PIKcsvBFMRZPTxsSoGrgEFcgeXYIpKuC4OWyQ46ou
+rmal9QKAyGUgs+wl1WbHG+3Bo3jTqgI4hSe10WK9/0aKXbuRWXExmL7yHScDM+5+
+GT1YkkF4E6FfMfnmzT9UEjMDVFN+WC1MrrurXxQI43LwJJGaWGtvaX2JZWKeZUB9
+ApJPogJ7BDgFUR1yJebOK7le6XvJXA==
+=1GAV
+-----END PGP SIGNATURE-----
diff --git a/content/security/CVE-2026-55994.md 
b/content/security/CVE-2026-55994.md
new file mode 100644
index 00000000..a41b6aff
--- /dev/null
+++ b/content/security/CVE-2026-55994.md
@@ -0,0 +1,17 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-55994"
+date: 2026-06-18T10:00:00+02:00
+url: /security/CVE-2026-55994.html
+draft: false
+type: security-advisory
+cve: CVE-2026-55994
+severity: HIGH
+summary: "Camel-Iggy: The inbound consumer maps externally-supplied Iggy 
message user-headers into the Exchange without a HeaderFilterStrategy, allowing 
injection of Camel control headers - enabling server-side request forgery and 
disclosure of secrets when bridged to an HTTP producer"
+description: "The camel-iggy consumer mapped the user-headers of inbound Iggy 
messages into the Camel Exchange header map without applying any 
HeaderFilterStrategy (IggyFetchRecords copied the message user-headers straight 
into the Exchange). Because nothing blocked the Camel header namespace, an 
actor able to publish to the consumed Iggy stream/topic could set 
Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - 
simply by supplying them as message user-headers.  [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.18.x releases stream, then they are suggested 
to upgrade to 4.18.3. The fix adds a dedicated IggyHeaderFilterStrategy (and a 
headerFilterStrategy endpoint option) that filters the Camel header namespace 
case-insensitively on inbound mapping, so externally-supplied Camel* / camel* 
headers are no longer copied into the Exchange. For deployments that cannot 
upgrade immediately, stri [...]
+credit: "This issue was discovered by Kamalpreet Singh"
+affected: "From 4.17.0 before 4.18.3, from 4.19.0 before 4.21.0."
+fixed: 4.18.3 and 4.21.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23285 (commit 
1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x 
(commit 88c43e3af36013585b5483c671950f30e5833a5f). The fix adds a dedicated 
IggyHeaderFilterStrategy and a headerFilterStrategy endpoint option to 
camel-iggy, filtering the Camel header namespa [...]
diff --git a/content/security/CVE-2026-55994.txt.asc 
b/content/security/CVE-2026-55994.txt.asc
new file mode 100644
index 00000000..057edffb
--- /dev/null
+++ b/content/security/CVE-2026-55994.txt.asc
@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-55994"
+date: 2026-06-18T10:00:00+02:00
+url: /security/CVE-2026-55994.html
+draft: false
+type: security-advisory
+cve: CVE-2026-55994
+severity: HIGH
+summary: "Camel-Iggy: The inbound consumer maps externally-supplied Iggy 
message user-headers into the Exchange without a HeaderFilterStrategy, allowing 
injection of Camel control headers - enabling server-side request forgery and 
disclosure of secrets when bridged to an HTTP producer"
+description: "The camel-iggy consumer mapped the user-headers of inbound Iggy 
messages into the Camel Exchange header map without applying any 
HeaderFilterStrategy (IggyFetchRecords copied the message user-headers straight 
into the Exchange). Because nothing blocked the Camel header namespace, an 
actor able to publish to the consumed Iggy stream/topic could set 
Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - 
simply by supplying them as message user-headers.  [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.18.x releases stream, then they are suggested 
to upgrade to 4.18.3. The fix adds a dedicated IggyHeaderFilterStrategy (and a 
headerFilterStrategy endpoint option) that filters the Camel header namespace 
case-insensitively on inbound mapping, so externally-supplied Camel* / camel* 
headers are no longer copied into the Exchange. For deployments that cannot 
upgrade immediately, stri [...]
+credit: "This issue was discovered by Kamalpreet Singh"
+affected: "From 4.17.0 before 4.18.3, from 4.19.0 before 4.21.0."
+fixed: 4.18.3 and 4.21.0
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23285 (commit 
1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x 
(commit 88c43e3af36013585b5483c671950f30e5833a5f). The fix adds a dedicated 
IggyHeaderFilterStrategy and a headerFilterStrategy endpoint option to 
camel-iggy, filtering the Camel header namespa [...]
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmozq0gACgkQ406fOAL/
+QQAnEQf9HGhvWhoX89P3xrVIDYEF4TUo//KqPX9esClVKLLEPjJ33RxJieWMh5G4
+TaTzUPtkF0AP/OdP2Z0lxZ02o237XUlZ+CneFbc50zC3x4HZzI4X8/q3FVwdmssg
+Z89c+3fgipjzQq3II7FedypFNe4KjN7LTXb5NdUPVrIbsin6/jrMbWW8MgH5yK7Z
+10x8O5R8Aq1sRDt09Axt2D1iBxsISHlMMzGVZdkahbgh8tQz7gxiy1/KNcMwKPiM
+iQqNoWNhvOB2+8JSkuOflYvHIxn9Uck8aroU0vwTdduL8nwTMz5Tj12VhBV1jrlE
+PExLeZO998JIte9K0U9lbxb7sn1avQ==
+=lPIw
+-----END PGP SIGNATURE-----

Reply via email to