Описание
Bypass/Injection vulnerability in Apache Camel components under particular conditions.
This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.
Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.
This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific
headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method
on the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send
the message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component
The attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are
directly connected to the internet v
Ссылки
- Vendor Advisory
- Issue TrackingPatch
- Mailing ListVendor Advisory
- Mailing ListThird Party Advisory
- Exploit
- Product
Уязвимые конфигурации
Одно из
EPSS
5.6 Medium
CVSS3
Дефекты
Связанные уязвимости
Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method on the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send the message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component The attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are directly connected to the internet via HTTP, t...
Apache Camel: Camel Message Header Injection via Improper Filtering
Уязвимость компонента Default Header Filtering фреймворка Apache Camel, связанная с недостаточной проверкой регистра, позволяющая нарушителю оказать влияние на целостность, доступность и конфиденциальность защищаемой информации
Уязвимость компонента Header Handler java-фреймворка Apache Camel, позволяющая нарушителю оказать воздействие целостность и доступность защищаемой информации
EPSS
5.6 Medium
CVSS3