This is an automated email from the ASF dual-hosted git repository.

oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git

commit 28dc0b90f29d110e91ea0b6d8531fdc3f45ecf9c
Author: Andrea Cosentino <[email protected]>
AuthorDate: Mon Jun 15 12:27:06 2026 +0200

    Added CVE-2026-48205
    
    Signed-off-by: Andrea Cosentino <[email protected]>
---
 content/security/CVE-2026-48205.md      | 17 +++++++++++++++++
 content/security/CVE-2026-48205.txt.asc | 31 +++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/content/security/CVE-2026-48205.md 
b/content/security/CVE-2026-48205.md
new file mode 100644
index 00000000..7015ddb9
--- /dev/null
+++ b/content/security/CVE-2026-48205.md
@@ -0,0 +1,17 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-48205"
+date: 2026-06-11T10:00:00+02:00
+url: /security/CVE-2026-48205.html
+draft: false
+type: security-advisory
+cve: CVE-2026-48205
+severity: MEDIUM
+summary: "Apache Camel: Camel-DNS: The dns.* and term Exchange header 
constants used non-Camel-prefixed names that bypass the HTTP header filter, 
allowing an HTTP client to redirect DNS queries to an attacker-controlled 
server (server-side request forgery) and enumerate internal hostnames"
+description: "The camel-dns producers read DNS operation parameters - the 
resolver to query, the name or domain to look up, the record type and class, 
and the search term - from Exchange message headers whose constant values 
(DnsConstants.DNS_SERVER, DNS_NAME, DNS_DOMAIN, DNS_TYPE, DNS_CLASS, TERM) were 
the plain strings dns.server, dns.name, dns.domain, dns.type, dns.class and 
term. Because these names do not start with the Camel / camel prefix, 
HttpHeaderFilterStrategy - which blocks o [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. After upgrading, routes that 
drive DNS operations via the raw header names must use CamelDnsServer / 
CamelDnsName / CamelDnsDomain / CamelDnsType / CamelDnsClass / CamelDnsTerm 
instead of the dns.* / term names. For depl [...]
+credit: "This issue was discovered by Yu Bao from PayPal"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23574 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23411 (commit 
bdd40cf23f2b22cd293ddad319069a7b3b3c6c70) and backported to camel-4.18.x 
(commit 29b18beaf1fb07276de909b8e19cd87f01e8abd9) and camel-4.14.x (commit 
a6d8a44684c0116531e70ad8eb8bb37bd5601e98). The fix renames the camel-dns 
Exchange header values to the Camel conventio [...]
diff --git a/content/security/CVE-2026-48205.txt.asc 
b/content/security/CVE-2026-48205.txt.asc
new file mode 100644
index 00000000..575069e2
--- /dev/null
+++ b/content/security/CVE-2026-48205.txt.asc
@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-48205"
+date: 2026-06-11T10:00:00+02:00
+url: /security/CVE-2026-48205.html
+draft: false
+type: security-advisory
+cve: CVE-2026-48205
+severity: MEDIUM
+summary: "Apache Camel: Camel-DNS: The dns.* and term Exchange header 
constants used non-Camel-prefixed names that bypass the HTTP header filter, 
allowing an HTTP client to redirect DNS queries to an attacker-controlled 
server (server-side request forgery) and enumerate internal hostnames"
+description: "The camel-dns producers read DNS operation parameters - the 
resolver to query, the name or domain to look up, the record type and class, 
and the search term - from Exchange message headers whose constant values 
(DnsConstants.DNS_SERVER, DNS_NAME, DNS_DOMAIN, DNS_TYPE, DNS_CLASS, TERM) were 
the plain strings dns.server, dns.name, dns.domain, dns.type, dns.class and 
term. Because these names do not start with the Camel / camel prefix, 
HttpHeaderFilterStrategy - which blocks o [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. After upgrading, routes that 
drive DNS operations via the raw header names must use CamelDnsServer / 
CamelDnsName / CamelDnsDomain / CamelDnsType / CamelDnsClass / CamelDnsTerm 
instead of the dns.* / term names. For depl [...]
+credit: "This issue was discovered by Yu Bao from PayPal"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23574 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23411 (commit 
bdd40cf23f2b22cd293ddad319069a7b3b3c6c70) and backported to camel-4.18.x 
(commit 29b18beaf1fb07276de909b8e19cd87f01e8abd9) and camel-4.14.x (commit 
a6d8a44684c0116531e70ad8eb8bb37bd5601e98). The fix renames the camel-dns 
Exchange header values to the Camel conventio [...]
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/
+QQCD9gf+J/fqPgskztbdjzddPWby3VCX5r+vOKXjh48+ptMUFk3+0XUd2jFyAfn6
+ddH/FZa/72L5j01cqps53IL4s8v6bOySG6FIQXO36W/HOe5ASkSR4ldsGC4NAMyH
+keX3tLpeq0zHaBHPkCAWduD2ztfbYoYdaZPZy2baY+T7f8mF3UNd8KKEeK5+0w8W
+ZV5vHxMo+zQNL3dSmfx0fPB7Xf1rk40o+V1BAe3EbiY3uCrA92hX0Nd5emreK20o
+GLcDioVMIjRRP77IDs7err9WPkFbMnz2mCSeIgTy6eemw0I0VM+E6vQt4BfgkrqT
+gfybnZ9zf1im0CjoXGwhA/YZsi4igw==
+=XlBd
+-----END PGP SIGNATURE-----

Reply via email to