oscerd opened a new pull request, #1688:
URL: https://github.com/apache/camel-website/pull/1688

   Adds the security advisory page for **CVE-2026-43867** — unfiltered 
`java.io.ObjectInputStream` deserialization in the camel-pqc 
`AwsSecretsManagerKeyLifecycleManager`.
   
   `AwsSecretsManagerKeyLifecycleManager.deserializeMetadata()` reads persisted 
key metadata back from the configured AWS Secrets Manager secret by 
Base64-decoding it and calling `ObjectInputStream.readObject()` with no 
`ObjectInputFilter` — the cast to `KeyMetadata` happens only after 
`readObject()` returns. A principal with `secretsmanager:PutSecretValue` on 
that secret could store a crafted object that executes during normal 
key-lifecycle operations.
   
   This was reported independently by Venkatraman Kumar (Securin) and is **the 
same defect, in the same code path, fixed by the same change as 
[CVE-2026-46590](https://camel.apache.org/security/CVE-2026-46590.html)** 
(which additionally covers the HashiCorp Vault and file-based managers). Both 
are incomplete-remediation follow-ons to CVE-2026-40048.
   
   **Details**
   - Severity: **MEDIUM** (aligned with CVE-2026-46590 for the identical fix; 
reporter rated CVSS 7.5, but exploitation requires privileged write to the 
operator-controlled secret)
   - Reporter: Venkatraman Kumar (Securin)
   - Fixed in: **4.18.3, 4.21.0** — 
[CAMEL-23726](https://issues.apache.org/jira/browse/CAMEL-23726), PR 
apache/camel#23912 (`feea08e7847f`), 4.18.x backport apache/camel#23914 
(`12a9ac3c94d`). Not present on the 4.14.x line.
   - CWE-502 (Deserialization of Untrusted Data)
   
   **Files**
   - `content/security/CVE-2026-43867.md` — Hugo advisory source
   - `content/security/CVE-2026-43867.txt.asc` — clearsigned plaintext (key 
`E34E9F3802FF4100`)
   
   > ⚠️ **Hold merge until Apache Camel 4.18.3 / 4.21.0 are released.** The fix 
is already merged, but those versions are not yet cut; the advisory should only 
go live once the fixed releases are available.
   
   ---
   _Advisory drafted by Claude Code on behalf of Andrea Cosentino._
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to