oscerd opened a new pull request, #1688: URL: https://github.com/apache/camel-website/pull/1688
Adds the security advisory page for **CVE-2026-43867** — unfiltered `java.io.ObjectInputStream` deserialization in the camel-pqc `AwsSecretsManagerKeyLifecycleManager`. `AwsSecretsManagerKeyLifecycleManager.deserializeMetadata()` reads persisted key metadata back from the configured AWS Secrets Manager secret by Base64-decoding it and calling `ObjectInputStream.readObject()` with no `ObjectInputFilter` — the cast to `KeyMetadata` happens only after `readObject()` returns. A principal with `secretsmanager:PutSecretValue` on that secret could store a crafted object that executes during normal key-lifecycle operations. This was reported independently by Venkatraman Kumar (Securin) and is **the same defect, in the same code path, fixed by the same change as [CVE-2026-46590](https://camel.apache.org/security/CVE-2026-46590.html)** (which additionally covers the HashiCorp Vault and file-based managers). Both are incomplete-remediation follow-ons to CVE-2026-40048. **Details** - Severity: **MEDIUM** (aligned with CVE-2026-46590 for the identical fix; reporter rated CVSS 7.5, but exploitation requires privileged write to the operator-controlled secret) - Reporter: Venkatraman Kumar (Securin) - Fixed in: **4.18.3, 4.21.0** — [CAMEL-23726](https://issues.apache.org/jira/browse/CAMEL-23726), PR apache/camel#23912 (`feea08e7847f`), 4.18.x backport apache/camel#23914 (`12a9ac3c94d`). Not present on the 4.14.x line. - CWE-502 (Deserialization of Untrusted Data) **Files** - `content/security/CVE-2026-43867.md` — Hugo advisory source - `content/security/CVE-2026-43867.txt.asc` — clearsigned plaintext (key `E34E9F3802FF4100`) > ⚠️ **Hold merge until Apache Camel 4.18.3 / 4.21.0 are released.** The fix is already merged, but those versions are not yet cut; the advisory should only go live once the fixed releases are available. --- _Advisory drafted by Claude Code on behalf of Andrea Cosentino._ 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
