This is an automated email from the ASF dual-hosted git repository. oscerd pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit 28dc0b90f29d110e91ea0b6d8531fdc3f45ecf9c Author: Andrea Cosentino <[email protected]> AuthorDate: Mon Jun 15 12:27:06 2026 +0200 Added CVE-2026-48205 Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2026-48205.md | 17 +++++++++++++++++ content/security/CVE-2026-48205.txt.asc | 31 +++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/content/security/CVE-2026-48205.md b/content/security/CVE-2026-48205.md new file mode 100644 index 00000000..7015ddb9 --- /dev/null +++ b/content/security/CVE-2026-48205.md @@ -0,0 +1,17 @@ +--- +title: "Apache Camel Security Advisory - CVE-2026-48205" +date: 2026-06-11T10:00:00+02:00 +url: /security/CVE-2026-48205.html +draft: false +type: security-advisory +cve: CVE-2026-48205 +severity: MEDIUM +summary: "Apache Camel: Camel-DNS: The dns.* and term Exchange header constants used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to redirect DNS queries to an attacker-controlled server (server-side request forgery) and enumerate internal hostnames" +description: "The camel-dns producers read DNS operation parameters - the resolver to query, the name or domain to look up, the record type and class, and the search term - from Exchange message headers whose constant values (DnsConstants.DNS_SERVER, DNS_NAME, DNS_DOMAIN, DNS_TYPE, DNS_CLASS, TERM) were the plain strings dns.server, dns.name, dns.domain, dns.type, dns.class and term. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks o [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive DNS operations via the raw header names must use CamelDnsServer / CamelDnsName / CamelDnsDomain / CamelDnsType / CamelDnsClass / CamelDnsTerm instead of the dns.* / term names. For depl [...] +credit: "This issue was discovered by Yu Bao from PayPal" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +--- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23574 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23411 (commit bdd40cf23f2b22cd293ddad319069a7b3b3c6c70) and backported to camel-4.18.x (commit 29b18beaf1fb07276de909b8e19cd87f01e8abd9) and camel-4.14.x (commit a6d8a44684c0116531e70ad8eb8bb37bd5601e98). The fix renames the camel-dns Exchange header values to the Camel conventio [...] diff --git a/content/security/CVE-2026-48205.txt.asc b/content/security/CVE-2026-48205.txt.asc new file mode 100644 index 00000000..575069e2 --- /dev/null +++ b/content/security/CVE-2026-48205.txt.asc @@ -0,0 +1,31 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +- --- +title: "Apache Camel Security Advisory - CVE-2026-48205" +date: 2026-06-11T10:00:00+02:00 +url: /security/CVE-2026-48205.html +draft: false +type: security-advisory +cve: CVE-2026-48205 +severity: MEDIUM +summary: "Apache Camel: Camel-DNS: The dns.* and term Exchange header constants used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to redirect DNS queries to an attacker-controlled server (server-side request forgery) and enumerate internal hostnames" +description: "The camel-dns producers read DNS operation parameters - the resolver to query, the name or domain to look up, the record type and class, and the search term - from Exchange message headers whose constant values (DnsConstants.DNS_SERVER, DNS_NAME, DNS_DOMAIN, DNS_TYPE, DNS_CLASS, TERM) were the plain strings dns.server, dns.name, dns.domain, dns.type, dns.class and term. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks o [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive DNS operations via the raw header names must use CamelDnsServer / CamelDnsName / CamelDnsDomain / CamelDnsType / CamelDnsClass / CamelDnsTerm instead of the dns.* / term names. For depl [...] +credit: "This issue was discovered by Yu Bao from PayPal" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +- --- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23574 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23411 (commit bdd40cf23f2b22cd293ddad319069a7b3b3c6c70) and backported to camel-4.18.x (commit 29b18beaf1fb07276de909b8e19cd87f01e8abd9) and camel-4.14.x (commit a6d8a44684c0116531e70ad8eb8bb37bd5601e98). The fix renames the camel-dns Exchange header values to the Camel conventio [...] +-----BEGIN PGP SIGNATURE----- + +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/ +QQCD9gf+J/fqPgskztbdjzddPWby3VCX5r+vOKXjh48+ptMUFk3+0XUd2jFyAfn6 +ddH/FZa/72L5j01cqps53IL4s8v6bOySG6FIQXO36W/HOe5ASkSR4ldsGC4NAMyH +keX3tLpeq0zHaBHPkCAWduD2ztfbYoYdaZPZy2baY+T7f8mF3UNd8KKEeK5+0w8W +ZV5vHxMo+zQNL3dSmfx0fPB7Xf1rk40o+V1BAe3EbiY3uCrA92hX0Nd5emreK20o +GLcDioVMIjRRP77IDs7err9WPkFbMnz2mCSeIgTy6eemw0I0VM+E6vQt4BfgkrqT +gfybnZ9zf1im0CjoXGwhA/YZsi4igw== +=XlBd +-----END PGP SIGNATURE-----
