CVE-2025-29891

Опубликовано: 12 мар. 2025

Источник: nvd

CVSS3: 4.8

EPSS Низкий

Описание

Bypass/Injection vulnerability in Apache Camel.

This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4.

Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.

This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component.

If you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Camel application that get translated into headers.

The headers could be both provided as request parameters for an HTTP methods invocation or as part of the payload of the HTTP methods invocation.

All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platf

Ссылки

https://camel.apache.org/security/CVE-2025-27636.html
Not Applicable
https://camel.apache.org/security/CVE-2025-29891.html
Vendor Advisory
https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC
Exploit

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*

Версия от 3.10.0 (включая) до 3.22.4 (исключая)

cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*

Версия от 4.8.0 (включая) до 4.8.5 (исключая)

cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*

Версия от 4.10.0 (включая) до 4.10.2 (исключая)

EPSS

Процентиль: 53%

0.003

Низкий

4.8 Medium

CVSS3

Дефекты

CWE-164

Связанные уязвимости

CVE-2025-29891

CVSS3: 6.3

redhat

6 месяцев назад

Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component. If you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Camel application that get translated into headers. The headers could be both provided as request parameters for an HTTP methods invocation or as part of the payload of the HTTP methods invocation. All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform...

GHSA-96v5-c2h5-56hm

CVSS3: 4.2

github

6 месяцев назад

Apache Camel Message Header Injection through request parameters

BDU:2025-03703

CVSS3: 4.8

fstec

6 месяцев назад

Уязвимость компонента Header Handler java-фреймворка Apache Camel, позволяющая нарушителю оказать воздействие целостность и доступность защищаемой информации

EPSS

Процентиль: 53%

0.003

Низкий

4.8 Medium

CVSS3

Дефекты

CWE-164