Описание
Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions.
This issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6.
Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS.
Camel undertow component is vulnerable to Camel message header injection, in particular the custom header filter strategy used by the component only filter the "out" direction, while it doesn't filter the "in" direction.
This allows an attacker to include Camel specific headers that for some Camel components can alter the behaviour such as the camel-bean component, or the camel-exec component.
A flaw was found in the Apache Camel Undertow component. This vulnerability allows an attacker to inject Camel-specific headers via the inbound request, which can alter the behavior of certain Camel components such as camel-bean and camel-exec. This issue occurs due to the custom header filter strategy only applying to outgoing messages and not filtering incoming ones.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Apache Camel for Spring Boot 4 | camel-undertow | Fix deferred | ||
| Red Hat build of Apache Camel for Spring Boot 4 | camel-undertow-spring-security | Fix deferred | ||
| Red Hat Fuse 7 | camel-undertow | Not affected | ||
| Red Hat Fuse 7 | camel-undertow-spring-security | Not affected | ||
| Red Hat Fuse 7 | camel-undertow-spring-security-starter | Not affected | ||
| Red Hat Fuse 7 | camel-undertow-starter | Not affected | ||
| Red Hat Integration Camel K 1 | camel-undertow | Not affected | ||
| Red Hat Integration Camel K 1 | camel-undertow-spring-security | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 8 | camel-undertow | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | camel-undertow | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions. This issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6. Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS. Camel undertow component is vulnerable to Camel message header injection, in particular the custom header filter strategy used by the component only filter the "out" direction, while it doesn't filter the "in" direction. This allows an attacker to include Camel specific headers that for some Camel components can alter the behaviour such as the camel-bean component, or the camel-exec component.
Apache Camel Missing Header Out Filter Leads to Potential Bypass/Injection Vulnerability
Уязвимость компонента Camel-Undertow java-фреймворка Apache Camel, позволяющая нарушителю оказать влияние на конфиденциальность и целостность защищаемой информации
EPSS
6.5 Medium
CVSS3