This is an automated email from the ASF dual-hosted git repository.

Croway pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git

commit fc578cd7122643db78eddb139fe8d3c855c8fb50
Author: Croway <[email protected]>
AuthorDate: Mon Jul 6 09:40:10 2026 +0200

    Added CVE-2026-46587
---
 content/security/CVE-2026-46587.md      | 17 +++++++++++++++
 content/security/CVE-2026-46587.txt.asc | 37 +++++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)

diff --git a/content/security/CVE-2026-46587.md 
b/content/security/CVE-2026-46587.md
new file mode 100644
index 00000000..990a2356
--- /dev/null
+++ b/content/security/CVE-2026-46587.md
@@ -0,0 +1,17 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-46587"
+date: 2026-07-03T10:00:00+02:00
+url: /security/CVE-2026-46587.html
+draft: false
+type: security-advisory
+cve: CVE-2026-46587
+severity: MEDIUM
+summary: "Camel-Couchbase: Non-Camel-prefixed Exchange headers bypass 
HeaderFilterStrategy allowing operation override from untrusted input"
+description: "The camel-couchbase component reads several Exchange headers to 
control its behaviour - CCB_KEY (document key), CCB_ID (document id), CCB_TTL 
(document expiry), CCB_DDN (design document name) and CCB_VN (view name). The 
string values of these header constants, defined in CouchbaseConstants, are 
plain unprefixed names rather than the Camel-prefixed names used by every other 
Camel component (for example CamelSqlQuery, CamelMongoDbCriteria). Camel's 
inbound HTTP header filter, [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. The fix renames the 
camel-couchbase Exchange header constant string values (CCB_KEY, CCB_ID, 
CCB_TTL, CCB_DDN, CCB_VN) to carry the Camel prefix (CamelCouchbaseKey, 
CamelCouchbaseId, CamelCouchbaseTtl, CamelCouchbaseDesi [...]
+credit: "This issue was discovered by Yu Bao from PayPal"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+---
+
+The fix was merged on main in https://github.com/apache/camel/pull/23228 
(commit d0dfa4e0ebd062acaf4a86ca476bb4305db9bfd4) and backported to 
camel-4.18.x in https://github.com/apache/camel/pull/23230 (commit 
8d74cdca9befc74b49d9c52ac6a145be1d413e7d) and camel-4.14.x in 
https://github.com/apache/camel/pull/23231 (commit 
c16f7ef39849ae8819f50c959b538350b8f839e9). The issue is classified as CWE-20 
(Improper Input Validation). It belongs to the same Camel 
message-header-injection family as C [...]
diff --git a/content/security/CVE-2026-46587.txt.asc 
b/content/security/CVE-2026-46587.txt.asc
new file mode 100644
index 00000000..cbf47caa
--- /dev/null
+++ b/content/security/CVE-2026-46587.txt.asc
@@ -0,0 +1,37 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-46587"
+date: 2026-07-03T10:00:00+02:00
+url: /security/CVE-2026-46587.html
+draft: false
+type: security-advisory
+cve: CVE-2026-46587
+severity: MEDIUM
+summary: "Camel-Couchbase: Non-Camel-prefixed Exchange headers bypass 
HeaderFilterStrategy allowing operation override from untrusted input"
+description: "The camel-couchbase component reads several Exchange headers to 
control its behaviour - CCB_KEY (document key), CCB_ID (document id), CCB_TTL 
(document expiry), CCB_DDN (design document name) and CCB_VN (view name). The 
string values of these header constants, defined in CouchbaseConstants, are 
plain unprefixed names rather than the Camel-prefixed names used by every other 
Camel component (for example CamelSqlQuery, CamelMongoDbCriteria). Camel's 
inbound HTTP header filter, [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. The fix renames the 
camel-couchbase Exchange header constant string values (CCB_KEY, CCB_ID, 
CCB_TTL, CCB_DDN, CCB_VN) to carry the Camel prefix (CamelCouchbaseKey, 
CamelCouchbaseId, CamelCouchbaseTtl, CamelCouchbaseDesi [...]
+credit: "This issue was discovered by Yu Bao from PayPal"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+- ---
+
+The fix was merged on main in https://github.com/apache/camel/pull/23228 
(commit d0dfa4e0ebd062acaf4a86ca476bb4305db9bfd4) and backported to 
camel-4.18.x in https://github.com/apache/camel/pull/23230 (commit 
8d74cdca9befc74b49d9c52ac6a145be1d413e7d) and camel-4.14.x in 
https://github.com/apache/camel/pull/23231 (commit 
c16f7ef39849ae8819f50c959b538350b8f839e9). The issue is classified as CWE-20 
(Improper Input Validation). It belongs to the same Camel 
message-header-injection family as C [...]
+-----BEGIN PGP SIGNATURE-----
+
+iQJPBAEBCgA5FiEEXhypCOH+Pe54HVUTBwmP38yc5+YFAmpLW7YbFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzAAoJEAcJj9/MnOfmiI4P/2RN/wRzw81h3+gWSgwj
+h2i2e6Urj/Mz37PmL3dbiQshqsSp4jVsUTktlyBT8ULTM4LPDpvuf3EqysEc0rnM
+AHy0Oy/mWAoLFNnDT5j9HDwPm/Vone67QxXgybV/yu23xr8TW9nAoNAyIX6D+1vG
+czU09EKNWq68IqwQXOcK3MICAaeoEEKTU9nxmZO0dbuY2kzjvgizy/L5gJ0VFkK4
+kk51LNVek8kSkZ7Lzpp/EPvUzyA0Cx4jI+lkOwtvUDWePD6s66mnLpmPQJjFwCh+
+IeLGDtkjSS6kIWESONMJlLMgI5nDr836+R5u49kzMsK19RFk4UCMAdq8Mi0Wre10
+fph4S08KaWS08Cw4hFDllXNSIZsGsTivOsDddSJ2Ju47s4bk+jvaKP2f123Bbzby
+fLKs7lpWv76Kw9CjBAw+gQ/I84hF+J4i2HsmFGlKvQ67pSvPRjRAI9fiWbnkQcLl
+7QExYxUQyRTEMW/740r+WrVTXE0TSBomsGeseMHk+rI/Mw9u+6DG5+KZBhlttQNa
+7Cbx0mKVg4NMtp6dz36YTVQL3Vnl1JJYnOV1cbmj1vmGnxPr41/c/31ST3Yiad5Z
+TnHFGt7lRDE2bVY1+ttrexZ64XATwzdiYAbhrKFaM51qpTH13/DvlCMKouzv/byK
+todWDfC02ZMjSamERxzhkCc8
+=FKt+
+-----END PGP SIGNATURE-----

Reply via email to