All the vulnerabilites related to Apache Software Foundation - Apache Camel
cve-2017-12633
Vulnerability from cvelistv5
Published
2017-11-15 15:00
Modified
2024-09-16 22:25
Severity ?
EPSS score ?
Summary
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/101874 | vdb-entry, x_refsource_BID | |
| https://access.redhat.com/errata/RHSA-2018:0319 | vendor-advisory, x_refsource_REDHAT | |
| https://issues.apache.org/jira/browse/CAMEL-11923 | x_refsource_CONFIRM | |
| http://camel.apache.org/security-advisories.data/CVE-2017-12633.txt.asc | x_refsource_CONFIRM | |
| https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Camel |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:43:56.449Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "101874",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101874"
},
{
"name": "RHSA-2018:0319",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0319"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/CAMEL-11923"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://camel.apache.org/security-advisories.data/CVE-2017-12633.txt.asc"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Camel",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "2.19.0 to 2.19.3"
},
{
"status": "affected",
"version": "2.20.0"
},
{
"status": "affected",
"version": "The unsupported Camel 2.x (2.18 and earlier) versions may be also affected."
}
]
}
],
"datePublic": "2017-11-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Apache Camel\u0027s Hessian unmarshalling operation is vulnerable to Remote Code Execution attacks",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-24T10:06:04",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "101874",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101874"
},
{
"name": "RHSA-2018:0319",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0319"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.apache.org/jira/browse/CAMEL-11923"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://camel.apache.org/security-advisories.data/CVE-2017-12633.txt.asc"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-11-15T00:00:00",
"ID": "CVE-2017-12633",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Camel",
"version": {
"version_data": [
{
"version_value": "2.19.0 to 2.19.3"
},
{
"version_value": "2.20.0"
},
{
"version_value": "The unsupported Camel 2.x (2.18 and earlier) versions may be also affected."
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Apache Camel\u0027s Hessian unmarshalling operation is vulnerable to Remote Code Execution attacks"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "101874",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101874"
},
{
"name": "RHSA-2018:0319",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:0319"
},
{
"name": "https://issues.apache.org/jira/browse/CAMEL-11923",
"refsource": "CONFIRM",
"url": "https://issues.apache.org/jira/browse/CAMEL-11923"
},
{
"name": "http://camel.apache.org/security-advisories.data/CVE-2017-12633.txt.asc",
"refsource": "CONFIRM",
"url": "http://camel.apache.org/security-advisories.data/CVE-2017-12633.txt.asc"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-12633",
"datePublished": "2017-11-15T15:00:00Z",
"dateReserved": "2017-08-07T00:00:00",
"dateUpdated": "2024-09-16T22:25:45.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-12634
Vulnerability from cvelistv5
Published
2017-11-15 15:00
Modified
2024-09-16 18:43
Severity ?
EPSS score ?
Summary
The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2018:0319 | vendor-advisory, x_refsource_REDHAT | |
| http://www.securityfocus.com/bid/101876 | vdb-entry, x_refsource_BID | |
| https://issues.apache.org/jira/browse/CAMEL-11929 | x_refsource_CONFIRM | |
| http://camel.apache.org/security-advisories.data/CVE-2017-12634.txt.asc | x_refsource_CONFIRM | |
| https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Camel |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:43:56.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2018:0319",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0319"
},
{
"name": "101876",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101876"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/CAMEL-11929"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://camel.apache.org/security-advisories.data/CVE-2017-12634.txt.asc"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Camel",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "2.19.0 to 2.19.3"
},
{
"status": "affected",
"version": "2.20.0"
},
{
"status": "affected",
"version": "The unsupported Camel 2.x (2.18 and earlier) versions may be also affected."
}
]
}
],
"datePublic": "2017-11-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Apache Camel\u0027s Castor unmarshalling operation is vulnerable to Remote Code Execution attacks",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-24T10:06:03",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "RHSA-2018:0319",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0319"
},
{
"name": "101876",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101876"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.apache.org/jira/browse/CAMEL-11929"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://camel.apache.org/security-advisories.data/CVE-2017-12634.txt.asc"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-11-15T00:00:00",
"ID": "CVE-2017-12634",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Camel",
"version": {
"version_data": [
{
"version_value": "2.19.0 to 2.19.3"
},
{
"version_value": "2.20.0"
},
{
"version_value": "The unsupported Camel 2.x (2.18 and earlier) versions may be also affected."
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Apache Camel\u0027s Castor unmarshalling operation is vulnerable to Remote Code Execution attacks"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2018:0319",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:0319"
},
{
"name": "101876",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101876"
},
{
"name": "https://issues.apache.org/jira/browse/CAMEL-11929",
"refsource": "CONFIRM",
"url": "https://issues.apache.org/jira/browse/CAMEL-11929"
},
{
"name": "http://camel.apache.org/security-advisories.data/CVE-2017-12634.txt.asc",
"refsource": "CONFIRM",
"url": "http://camel.apache.org/security-advisories.data/CVE-2017-12634.txt.asc"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-12634",
"datePublished": "2017-11-15T15:00:00Z",
"dateReserved": "2017-08-07T00:00:00",
"dateUpdated": "2024-09-16T18:43:28.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-29891
Vulnerability from cvelistv5
Published
2025-03-12 14:42
Modified
2025-03-19 13:10
Severity ?
EPSS score ?
Summary
Apache Camel: Camel Message Header Injection through request parameters
References
| ▼ | URL | Tags |
|---|---|---|
| https://camel.apache.org/security/CVE-2025-27636.html | related | |
| https://camel.apache.org/security/CVE-2025-29891.html | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Camel |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-29891",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T13:08:59.375705Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T13:10:01.834Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.camel:camel",
"product": "Apache Camel",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.10.2",
"status": "affected",
"version": "4.10.0",
"versionType": "semver"
},
{
"lessThan": "4.8.5",
"status": "affected",
"version": "4.8.0",
"versionType": "semver"
},
{
"lessThan": "3.22.4",
"status": "affected",
"version": "3.10.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Citi Cyber Security Operations"
},
{
"lang": "en",
"type": "reporter",
"value": "Akamai Security Intelligence Group (SIG)"
},
{
"lang": "en",
"type": "finder",
"value": "Mark Thorson of AT\u0026T"
},
{
"lang": "en",
"type": "reporter",
"value": "Mark Thorson of AT\u0026T"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eBypass/Injection vulnerability in Apache Camel.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.\u003c/p\u003e\u003cp\u003eThis vulnerability is present in Camel\u0027s default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component.\u003c/p\u003e\u003cp\u003eIf you have Camel applications that are directly connected to the internet via HTTP, then an attacker\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecould include parameters in the HTTP requests that are sent to the Camel application that get translated into headers.\u003c/span\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe headers could be both provided as request parameters for an HTTP methods invocation or as part of the payload of the HTTP methods invocation.\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eAll the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.\u003c/span\u003e\u003c/p\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis CVE is related to the CVE-2025-27636: while they have the same root cause and are fixed with the same fix, CVE-2025-27636 was assumed to only be exploitable if an attacker could add malicious HTTP headers, while we have now determined that it is also exploitable via HTTP parameters. Like in CVE-2025-27636, exploitation is only possible if the Camel route uses particular vulnerable components.\u003c/span\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Bypass/Injection vulnerability in Apache Camel.\n\nThis issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4.\n\nUsers are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.\n\nThis vulnerability is present in Camel\u0027s default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component.\n\nIf you have Camel applications that are directly connected to the internet via HTTP, then an attacker\u00a0could include parameters in the HTTP requests that are sent to the Camel application that get translated into headers.\u00a0\n\nThe headers could be both provided as request parameters for an HTTP methods invocation or as part of the payload of the HTTP methods invocation.\n\nAll the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.\n\nThis CVE is related to the CVE-2025-27636: while they have the same root cause and are fixed with the same fix, CVE-2025-27636 was assumed to only be exploitable if an attacker could add malicious HTTP headers, while we have now determined that it is also exploitable via HTTP parameters. Like in CVE-2025-27636, exploitation is only possible if the Camel route uses particular vulnerable components."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-164",
"description": "CWE-164 Improper Neutralization of Internal Special Elements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T08:22:07.519Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"related"
],
"url": "https://camel.apache.org/security/CVE-2025-27636.html"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://camel.apache.org/security/CVE-2025-29891.html"
}
],
"source": {
"defect": [
"CAMEL-21828"
],
"discovery": "UNKNOWN"
},
"title": "Apache Camel: Camel Message Header Injection through request parameters",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-29891",
"datePublished": "2025-03-12T14:42:59.644Z",
"dateReserved": "2025-03-12T08:48:54.633Z",
"dateUpdated": "2025-03-19T13:10:01.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-22371
Vulnerability from cvelistv5
Published
2024-02-26 09:22
Modified
2024-10-31 13:03
Severity ?
EPSS score ?
Summary
Apache Camel issue on ExchangeCreatedEvent
References
| ▼ | URL | Tags |
|---|---|---|
| https://camel.apache.org/security/CVE-2024-22371.html | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Camel |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:43:34.525Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://camel.apache.org/security/CVE-2024-22371.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22371",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T14:48:22.345763Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-31T13:03:53.000Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Camel",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.6.0",
"status": "unaffected",
"version": "1.x",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.21.3",
"status": "affected",
"version": "3.21.x",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.22.0",
"status": "affected",
"version": "3.22.x",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.0.3",
"status": "affected",
"version": "4.0.x",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.3.0",
"status": "affected",
"version": "4.x",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Otavio Rodolfo Piske from the Apache Software Foundation"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.\u003cp\u003eThis issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4 or 4.4.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0.\n\nUsers are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4 or 4.4.0, which fixes the issue.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "Low"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data.",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-26T09:22:38.384Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://camel.apache.org/security/CVE-2024-22371.html"
}
],
"source": {
"defect": [
"CAMEL-20305"
],
"discovery": "INTERNAL"
},
"title": "Apache Camel issue on ExchangeCreatedEvent",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-22371",
"datePublished": "2024-02-26T09:22:38.384Z",
"dateReserved": "2024-01-09T12:04:27.624Z",
"dateUpdated": "2024-10-31T13:03:53.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-8749
Vulnerability from cvelistv5
Published
2017-03-28 18:00
Modified
2024-08-06 02:35
Severity ?
EPSS score ?
Summary
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2017:1832 | vendor-advisory, x_refsource_REDHAT | |
| https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true | x_refsource_MISC | |
| http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc?version=2&modificationDate=1486565034000&api=v2 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/97179 | vdb-entry, x_refsource_BID | |
| http://www.openwall.com/lists/oss-security/2017/05/22/2 | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Camel |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:35:00.312Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2017:1832",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc?version=2\u0026modificationDate=1486565034000\u0026api=v2"
},
{
"name": "97179",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97179"
},
{
"name": "[oss-security] 20170522 Code Execution through a variety Java (Un-)Marshallers",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2017/05/22/2"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Camel",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "2.16.0 to 2.16.4"
},
{
"status": "affected",
"version": "2.17.0 to 2.17.4"
},
{
"status": "affected",
"version": "2.18.0 to 2.18.1"
},
{
"status": "affected",
"version": "The unsupported Camel 2.x (2.14 and earlier) versions may be also affected."
}
]
}
],
"datePublic": "2017-03-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Camel\u0027s Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "remote code execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-24T10:06:03",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "RHSA-2017:1832",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc?version=2\u0026modificationDate=1486565034000\u0026api=v2"
},
{
"name": "97179",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97179"
},
{
"name": "[oss-security] 20170522 Code Execution through a variety Java (Un-)Marshallers",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2017/05/22/2"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2016-8749",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Camel",
"version": {
"version_data": [
{
"version_value": "2.16.0 to 2.16.4"
},
{
"version_value": "2.17.0 to 2.17.4"
},
{
"version_value": "2.18.0 to 2.18.1"
},
{
"version_value": "The unsupported Camel 2.x (2.14 and earlier) versions may be also affected."
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Camel\u0027s Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "remote code execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2017:1832",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"name": "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true",
"refsource": "MISC",
"url": "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true"
},
{
"name": "http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc?version=2\u0026modificationDate=1486565034000\u0026api=v2",
"refsource": "CONFIRM",
"url": "http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc?version=2\u0026modificationDate=1486565034000\u0026api=v2"
},
{
"name": "97179",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97179"
},
{
"name": "[oss-security] 20170522 Code Execution through a variety Java (Un-)Marshallers",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2017/05/22/2"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2016-8749",
"datePublished": "2017-03-28T18:00:00",
"dateReserved": "2016-10-18T00:00:00",
"dateUpdated": "2024-08-06T02:35:00.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-27636
Vulnerability from cvelistv5
Published
2025-03-09 12:09
Modified
2025-03-17 14:42
Severity ?
EPSS score ?
Summary
Apache Camel: Camel Message Header Injection via Improper Filtering
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw610y693z | vendor-advisory | |
| https://issues.apache.org/jira/browse/CAMEL-21828 | issue-tracking | |
| https://camel.apache.org/security/CVE-2025-27636.html | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Camel |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-03-09T17:02:21.478Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/03/09/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-27636",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T18:51:57.713279Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-178",
"description": "CWE-178 Improper Handling of Case Sensitivity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T18:56:43.452Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC/blob/main/src/main/java/com/example/camel/VulnerableCamel.java"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://camel.apache.org/security/CVE-2025-27636.txt.asc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.camel:camel",
"product": "Apache Camel",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.10.2",
"status": "affected",
"version": "4.10.0",
"versionType": "semver"
},
{
"lessThan": "4.8.5",
"status": "affected",
"version": "4.8.0",
"versionType": "semver"
},
{
"lessThan": "3.22.4",
"status": "affected",
"version": "3.10.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mark Thorson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eBypass/Injection vulnerability in Apache Camel components under particular conditions.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Camel: from 4.10.0 through \u0026lt;= 4.10.1, from 4.8.0 through \u0026lt;= 4.8.4, from 3.10.0 through \u0026lt;= 3.22.3.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.\u003c/p\u003e\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003eThis vulnerability is present in Camel\u0027s default incoming header filter, that allows an attacker to include Camel specific\u003c/div\u003e\u003cdiv\u003eheaders that for some Camel components can alter the behaviours such as the camel-bean component, to call another method\u003c/div\u003e\u003cdiv\u003eon the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send\u003c/div\u003e\u003cdiv\u003ethe message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are\u003c/div\u003e\u003cdiv\u003edirectly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests\u003c/div\u003e\u003cdiv\u003ethat are send to the Camel application.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003eAll the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.\u003cbr\u003e\u003cbr\u003eIn these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eIn terms of usage of the default header filter strategy the list of components using that is: \u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cul\u003e\u003cli\u003ecamel-activemq\u003c/li\u003e\u003cli\u003ecamel-activemq6\u003c/li\u003e\u003cli\u003ecamel-amqp\u003c/li\u003e\u003cli\u003ecamel-aws2-sqs\u003c/li\u003e\u003cli\u003ecamel-azure-servicebus\u003c/li\u003e\u003cli\u003ecamel-cxf-rest\u003c/li\u003e\u003cli\u003ecamel-cxf-soap\u003c/li\u003e\u003cli\u003ecamel-http\u003c/li\u003e\u003cli\u003ecamel-jetty\u003c/li\u003e\u003cli\u003ecamel-jms\u003c/li\u003e\u003cli\u003ecamel-kafka\u003c/li\u003e\u003cli\u003ecamel-knative\u003c/li\u003e\u003cli\u003ecamel-mail\u003c/li\u003e\u003cli\u003ecamel-nats\u003c/li\u003e\u003cli\u003ecamel-netty-http\u003c/li\u003e\u003cli\u003ecamel-platform-http\u003c/li\u003e\u003cli\u003ecamel-rest\u003c/li\u003e\u003cli\u003ecamel-sjms\u003c/li\u003e\u003cli\u003ecamel-spring-rabbitmq\u003c/li\u003e\u003cli\u003ecamel-stomp\u003c/li\u003e\u003cli\u003ecamel-tahu\u003c/li\u003e\u003cli\u003ecamel-undertow\u003c/li\u003e\u003cli\u003ecamel-xmpp\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003eThe vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with \"Camel\", \"camel\", or \"org.apache.camel.\".\u0026nbsp;\u003c/div\u003e\u003cbr\u003e\u003cdiv\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eMitigation:\u0026nbsp;\u003c/span\u003eYou can easily work around this in your Camel applications by removing the\u0026nbsp;headers in your Camel routes. There are many ways of doing this, also\u0026nbsp;globally or per route. This means you could use the removeHeaders EIP, to filter out anything like \"cAmel, cAMEL\" etc, or in general everything not starting with \"Camel\", \"camel\" or \"org.apache.camel.\".\u0026nbsp;\u003cbr\u003e\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "Bypass/Injection vulnerability in Apache Camel components under particular conditions.\n\nThis issue affects Apache Camel: from 4.10.0 through \u003c= 4.10.1, from 4.8.0 through \u003c= 4.8.4, from 3.10.0 through \u003c= 3.22.3.\n\nUsers are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.\n\n\n\nThis vulnerability is present in Camel\u0027s default incoming header filter, that allows an attacker to include Camel specific\n\nheaders that for some Camel components can alter the behaviours such as the camel-bean component, to call another method\n\non the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send\n\nthe message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component\n\n\n\n\nThe attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are\n\ndirectly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests\n\nthat are send to the Camel application.\n\n\n\n\nAll the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.\n\nIn these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.\n\nIn terms of usage of the default header filter strategy the list of components using that is: \n\n\n * camel-activemq\n * camel-activemq6\n * camel-amqp\n * camel-aws2-sqs\n * camel-azure-servicebus\n * camel-cxf-rest\n * camel-cxf-soap\n * camel-http\n * camel-jetty\n * camel-jms\n * camel-kafka\n * camel-knative\n * camel-mail\n * camel-nats\n * camel-netty-http\n * camel-platform-http\n * camel-rest\n * camel-sjms\n * camel-spring-rabbitmq\n * camel-stomp\n * camel-tahu\n * camel-undertow\n * camel-xmpp\n\n\n\n\n\n\nThe vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with \"Camel\", \"camel\", or \"org.apache.camel.\".\u00a0\n\n\nMitigation:\u00a0You can easily work around this in your Camel applications by removing the\u00a0headers in your Camel routes. There are many ways of doing this, also\u00a0globally or per route. This means you could use the removeHeaders EIP, to filter out anything like \"cAmel, cAMEL\" etc, or in general everything not starting with \"Camel\", \"camel\" or \"org.apache.camel.\"."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Bypass/Injection",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T14:42:57.795Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw610y693z"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/CAMEL-21828"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://camel.apache.org/security/CVE-2025-27636.html"
}
],
"source": {
"defect": [
"CAMEL-21828"
],
"discovery": "UNKNOWN"
},
"title": "Apache Camel: Camel Message Header Injection via Improper Filtering",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-27636",
"datePublished": "2025-03-09T12:09:58.619Z",
"dateReserved": "2025-03-04T11:56:29.254Z",
"dateUpdated": "2025-03-17T14:42:57.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-22369
Vulnerability from cvelistv5
Published
2024-02-20 14:58
Modified
2024-11-05 19:47
Severity ?
EPSS score ?
Summary
Apache Camel: Camel-SQL: Unsafe Deserialization from JDBCAggregationRepository
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/3dko781dy2gy5l3fs48p56fgp429yb0f | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Camel |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:camel:3.0.0:-:*:*:*:*:*:*",
"cpe:2.3:a:apache:camel:3.22.0:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:camel:4.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:camel:4.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "camel",
"vendor": "apache",
"versions": [
{
"lessThan": "3.21.4",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "3.22.1",
"status": "affected",
"version": "3.22.0",
"versionType": "custom"
},
{
"lessThan": "4.0.4",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-22369",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T18:46:02.736351Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T19:47:09.797Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:43:34.477Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/3dko781dy2gy5l3fs48p56fgp429yb0f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.camel:camel-sql",
"product": "Apache Camel",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.21.4",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "3.22.1",
"status": "affected",
"version": "3.22.0",
"versionType": "semver"
},
{
"lessThan": "4.0.4",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "4.4.0",
"status": "affected",
"version": "4.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ziyang Chen from HuaWei Open Source Management Center"
},
{
"lang": "en",
"type": "finder",
"value": "Pingtao Wei from HuaWei Open Source Management Center"
},
{
"lang": "en",
"type": "finder",
"value": "Haoran Zhi from HuaWei Open Source Management Center"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in Apache Camel SQL Component\u003cp\u003eThis issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Apache Camel SQL ComponentThis issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.\n\nUsers are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T14:58:36.291Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/3dko781dy2gy5l3fs48p56fgp429yb0f"
}
],
"source": {
"advisory": "https://camel.apache.org/security/CVE-2024-22369.html",
"defect": [
"CAMEL-20303"
],
"discovery": "EXTERNAL"
},
"title": "Apache Camel: Camel-SQL: Unsafe Deserialization from JDBCAggregationRepository",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-22369",
"datePublished": "2024-02-20T14:58:36.291Z",
"dateReserved": "2024-01-09T09:46:19.456Z",
"dateUpdated": "2024-11-05T19:47:09.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-30177
Vulnerability from cvelistv5
Published
2025-04-01 11:56
Modified
2025-04-01 18:42
Severity ?
EPSS score ?
Summary
Apache Camel: Camel-Undertow Message Header Injection via Improper Filtering
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Camel |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-30177",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T18:40:10.405496Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T18:42:45.532Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.camel:camel-undertow",
"product": "Apache Camel",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.10.3",
"status": "affected",
"version": "4.10.0",
"versionType": "semver"
},
{
"lessThan": "4.8.6",
"status": "affected",
"version": "4.8.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mark Thorson of AT\u0026T"
},
{
"lang": "en",
"type": "reporter",
"value": "Mark Thorson of AT\u0026T"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eBypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6.\u003c/p\u003eUsers are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eCamel undertow component is vulnerable to Camel message header injection, in particular the custom header filter strategy used by the component only filter the \"out\" direction, while it doesn\u0027t filter the \"in\" direction.\u003c/div\u003e\u003cbr\u003eThis allows an attacker to include Camel specific headers that for some Camel components can alter the behaviour such as the camel-bean component, or the camel-exec component.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions.\n\nThis issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6.\n\nUsers are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS.\n\nCamel undertow component is vulnerable to Camel message header injection, in particular the custom header filter strategy used by the component only filter the \"out\" direction, while it doesn\u0027t filter the \"in\" direction.\n\n\nThis allows an attacker to include Camel specific headers that for some Camel components can alter the behaviour such as the camel-bean component, or the camel-exec component."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Bypass/Injection",
"lang": "en"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-164",
"description": "CWE-164 Improper Neutralization of Internal Special Elements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T11:56:30.484Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"related"
],
"url": "https://camel.apache.org/security/CVE-2025-27636.html"
},
{
"tags": [
"related"
],
"url": "https://camel.apache.org/security/CVE-2025-29891.html"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/dj79zdgw01j337lr9gvyy4sv8xfyw8py"
}
],
"source": {
"defect": [
"CAMEL-21876"
],
"discovery": "UNKNOWN"
},
"title": "Apache Camel: Camel-Undertow Message Header Injection via Improper Filtering",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-30177",
"datePublished": "2025-04-01T11:56:30.484Z",
"dateReserved": "2025-03-17T14:21:01.706Z",
"dateUpdated": "2025-04-01T18:42:45.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-5643
Vulnerability from cvelistv5
Published
2017-03-16 15:00
Modified
2024-08-05 15:04
Severity ?
EPSS score ?
Summary
Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/97226 | vdb-entry, x_refsource_BID | |
| https://access.redhat.com/errata/RHSA-2017:1832 | vendor-advisory, x_refsource_REDHAT | |
| http://camel.apache.org/security-advisories.data/CVE-2017-5643.txt.asc?version=1&modificationDate=1489652454000&api=v2 | x_refsource_CONFIRM | |
| https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Camel |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:04:15.368Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "97226",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97226"
},
{
"name": "RHSA-2017:1832",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://camel.apache.org/security-advisories.data/CVE-2017-5643.txt.asc?version=1\u0026modificationDate=1489652454000\u0026api=v2"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Camel",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "2.17.0 to 2.17.5"
},
{
"status": "affected",
"version": "2.18.0 to 2.18.2"
},
{
"status": "affected",
"version": "The unsupported Camel 2.x (2.16 and earlier) versions may be also affected."
}
]
}
],
"datePublic": "2017-03-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Camel\u0027s Validation Component is vulnerable against SSRF via remote DTDs and XXE."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-24T10:06:04",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "97226",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97226"
},
{
"name": "RHSA-2017:1832",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://camel.apache.org/security-advisories.data/CVE-2017-5643.txt.asc?version=1\u0026modificationDate=1489652454000\u0026api=v2"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2017-5643",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Camel",
"version": {
"version_data": [
{
"version_value": "2.17.0 to 2.17.5"
},
{
"version_value": "2.18.0 to 2.18.2"
},
{
"version_value": "The unsupported Camel 2.x (2.16 and earlier) versions may be also affected."
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Camel\u0027s Validation Component is vulnerable against SSRF via remote DTDs and XXE."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "97226",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97226"
},
{
"name": "RHSA-2017:1832",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"name": "http://camel.apache.org/security-advisories.data/CVE-2017-5643.txt.asc?version=1\u0026modificationDate=1489652454000\u0026api=v2",
"refsource": "CONFIRM",
"url": "http://camel.apache.org/security-advisories.data/CVE-2017-5643.txt.asc?version=1\u0026modificationDate=1489652454000\u0026api=v2"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-5643",
"datePublished": "2017-03-16T15:00:00",
"dateReserved": "2017-01-29T00:00:00",
"dateUpdated": "2024-08-05T15:04:15.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-3159
Vulnerability from cvelistv5
Published
2017-03-07 15:00
Modified
2024-08-05 14:16
Severity ?
EPSS score ?
Summary
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2017:0868 | vendor-advisory, x_refsource_REDHAT | |
| https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true | x_refsource_MISC | |
| http://www.securityfocus.com/bid/96321 | vdb-entry, x_refsource_BID | |
| http://www.openwall.com/lists/oss-security/2017/05/22/2 | mailing-list, x_refsource_MLIST | |
| http://camel.apache.org/security-advisories.data/CVE-2017-3159.txt.asc?version=1&modificationDate=1486565167000&api=v2 | x_refsource_CONFIRM | |
| https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Camel |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:16:28.249Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2017:0868",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true"
},
{
"name": "96321",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/96321"
},
{
"name": "[oss-security] 20170522 Code Execution through a variety Java (Un-)Marshallers",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2017/05/22/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://camel.apache.org/security-advisories.data/CVE-2017-3159.txt.asc?version=1\u0026modificationDate=1486565167000\u0026api=v2"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Camel",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "2.17.0 to 2.17.4"
},
{
"status": "affected",
"version": "2.18.0 to 2.18.1"
},
{
"status": "affected",
"version": "The unsupported Camel 2.x (2.14 and earlier) versions may be also affected."
}
]
}
],
"datePublic": "2017-03-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Camel\u0027s camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Java deserialization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-24T10:06:03",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "RHSA-2017:0868",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true"
},
{
"name": "96321",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/96321"
},
{
"name": "[oss-security] 20170522 Code Execution through a variety Java (Un-)Marshallers",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2017/05/22/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://camel.apache.org/security-advisories.data/CVE-2017-3159.txt.asc?version=1\u0026modificationDate=1486565167000\u0026api=v2"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2017-3159",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Camel",
"version": {
"version_data": [
{
"version_value": "2.17.0 to 2.17.4"
},
{
"version_value": "2.18.0 to 2.18.1"
},
{
"version_value": "The unsupported Camel 2.x (2.14 and earlier) versions may be also affected."
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Camel\u0027s camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Java deserialization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2017:0868",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
},
{
"name": "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true",
"refsource": "MISC",
"url": "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true"
},
{
"name": "96321",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/96321"
},
{
"name": "[oss-security] 20170522 Code Execution through a variety Java (Un-)Marshallers",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2017/05/22/2"
},
{
"name": "http://camel.apache.org/security-advisories.data/CVE-2017-3159.txt.asc?version=1\u0026modificationDate=1486565167000\u0026api=v2",
"refsource": "CONFIRM",
"url": "http://camel.apache.org/security-advisories.data/CVE-2017-3159.txt.asc?version=1\u0026modificationDate=1486565167000\u0026api=v2"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-3159",
"datePublished": "2017-03-07T15:00:00",
"dateReserved": "2016-12-05T00:00:00",
"dateUpdated": "2024-08-05T14:16:28.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-8027
Vulnerability from cvelistv5
Published
2018-07-31 13:00
Modified
2024-09-16 19:25
Severity ?
EPSS score ?
Summary
Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/104933 | vdb-entry, x_refsource_BID | |
| https://lists.apache.org/thread.html/77f596fc63e63c2e9adcff3c34759b32c225cf0b582aedb755adaade%40%3Cdev.camel.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://camel.apache.org/security-advisories.data/CVE-2018-8027.txt.asc | x_refsource_CONFIRM | |
| https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Camel |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:46:12.239Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "104933",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104933"
},
{
"name": "[camel-dev] 20180731 [SECURITY] New security advisory CVE-2018-8027 released for Apache Camel",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/77f596fc63e63c2e9adcff3c34759b32c225cf0b582aedb755adaade%40%3Cdev.camel.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://camel.apache.org/security-advisories.data/CVE-2018-8027.txt.asc"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Camel",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "2.20.0 to 2.20.3"
},
{
"status": "affected",
"version": "2.21.0"
}
]
}
],
"datePublic": "2018-07-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XML External Entity",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-24T10:06:04",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "104933",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104933"
},
{
"name": "[camel-dev] 20180731 [SECURITY] New security advisory CVE-2018-8027 released for Apache Camel",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/77f596fc63e63c2e9adcff3c34759b32c225cf0b582aedb755adaade%40%3Cdev.camel.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://camel.apache.org/security-advisories.data/CVE-2018-8027.txt.asc"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-07-31T00:00:00",
"ID": "CVE-2018-8027",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Camel",
"version": {
"version_data": [
{
"version_value": "2.20.0 to 2.20.3"
},
{
"version_value": "2.21.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XML External Entity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "104933",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104933"
},
{
"name": "[camel-dev] 20180731 [SECURITY] New security advisory CVE-2018-8027 released for Apache Camel",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/77f596fc63e63c2e9adcff3c34759b32c225cf0b582aedb755adaade@%3Cdev.camel.apache.org%3E"
},
{
"name": "http://camel.apache.org/security-advisories.data/CVE-2018-8027.txt.asc",
"refsource": "CONFIRM",
"url": "http://camel.apache.org/security-advisories.data/CVE-2018-8027.txt.asc"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-8027",
"datePublished": "2018-07-31T13:00:00Z",
"dateReserved": "2018-03-09T00:00:00",
"dateUpdated": "2024-09-16T19:25:52.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-23114
Vulnerability from cvelistv5
Published
2024-02-20 14:59
Modified
2024-08-28 19:49
Severity ?
EPSS score ?
Summary
Apache Camel: Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository
References
| ▼ | URL | Tags |
|---|---|---|
| https://camel.apache.org/security/CVE-2024-23114.html | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Camel |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:51:11.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://camel.apache.org/security/CVE-2024-23114.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "camel",
"vendor": "apache",
"versions": [
{
"lessThan": "3.21.4",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "3.22.1",
"status": "affected",
"version": "3.22.0",
"versionType": "custom"
},
{
"lessThan": "4.0.4",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-23114",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T19:49:44.817314Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T19:49:48.296Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Camel",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.21.4",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "3.22.1",
"status": "affected",
"version": "3.22.0",
"versionType": "semver"
},
{
"lessThan": "4.0.4",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "4.4.0",
"status": "affected",
"version": "4.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Federico Mariani From Apache Software Foundation"
},
{
"lang": "en",
"type": "finder",
"value": "Andrea Cosentino from Apache Software Foundation"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.\u003cp\u003eThis issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 4.4.0, which fixes the issue.\u0026nbsp;If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.\n\nUsers are recommended to upgrade to version 4.4.0, which fixes the issue.\u00a0If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T14:59:38.326Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://camel.apache.org/security/CVE-2024-23114.html"
}
],
"source": {
"defect": [
"CAMEL-20306"
],
"discovery": "INTERNAL"
},
"title": "Apache Camel: Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-23114",
"datePublished": "2024-02-20T14:59:38.326Z",
"dateReserved": "2024-01-11T17:22:53.091Z",
"dateUpdated": "2024-08-28T19:49:48.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-8041
Vulnerability from cvelistv5
Published
2018-09-17 14:00
Modified
2024-09-17 04:29
Severity ?
EPSS score ?
Summary
Apache Camel's Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path traversal.
References
| ▼ | URL | Tags |
|---|---|---|
| http://camel.apache.org/security-advisories.data/CVE-2018-8041.txt.asc?version=1&modificationDate=1536746339000&api=v2 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/105352 | vdb-entry, x_refsource_BID | |
| https://issues.apache.org/jira/browse/CAMEL-12630 | x_refsource_CONFIRM | |
| https://access.redhat.com/errata/RHSA-2018:3768 | vendor-advisory, x_refsource_REDHAT | |
| https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Camel |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:46:13.596Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://camel.apache.org/security-advisories.data/CVE-2018-8041.txt.asc?version=1\u0026modificationDate=1536746339000\u0026api=v2"
},
{
"name": "105352",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/105352"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/CAMEL-12630"
},
{
"name": "RHSA-2018:3768",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3768"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Camel",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Camel 2.20.0 to 2.20.3, Camel 2.21.0 to 2.21.1 and Camel 2.22.0"
}
]
}
],
"datePublic": "2018-07-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Camel\u0027s Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path traversal."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-24T10:06:03",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://camel.apache.org/security-advisories.data/CVE-2018-8041.txt.asc?version=1\u0026modificationDate=1536746339000\u0026api=v2"
},
{
"name": "105352",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/105352"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.apache.org/jira/browse/CAMEL-12630"
},
{
"name": "RHSA-2018:3768",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3768"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-07-09T00:00:00",
"ID": "CVE-2018-8041",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Camel",
"version": {
"version_data": [
{
"version_value": "Camel 2.20.0 to 2.20.3, Camel 2.21.0 to 2.21.1 and Camel 2.22.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Camel\u0027s Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path traversal."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://camel.apache.org/security-advisories.data/CVE-2018-8041.txt.asc?version=1\u0026modificationDate=1536746339000\u0026api=v2",
"refsource": "CONFIRM",
"url": "http://camel.apache.org/security-advisories.data/CVE-2018-8041.txt.asc?version=1\u0026modificationDate=1536746339000\u0026api=v2"
},
{
"name": "105352",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/105352"
},
{
"name": "https://issues.apache.org/jira/browse/CAMEL-12630",
"refsource": "CONFIRM",
"url": "https://issues.apache.org/jira/browse/CAMEL-12630"
},
{
"name": "RHSA-2018:3768",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3768"
},
{
"name": "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E"
},
{
"name": "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-8041",
"datePublished": "2018-09-17T14:00:00Z",
"dateReserved": "2018-03-09T00:00:00",
"dateUpdated": "2024-09-17T04:29:13.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
jvndb-2019-000027
Vulnerability from jvndb
Published
2019-05-22 14:37
Modified
2019-09-30 18:14
Severity ?
Summary
Apache Camel vulnerable to XML external entity injection (XXE)
Details
Apache Camel provided by The Apache Software Foundation contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library.
Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Camel |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000027.html",
"dc:date": "2019-09-30T18:14+09:00",
"dcterms:issued": "2019-05-22T14:37+09:00",
"dcterms:modified": "2019-09-30T18:14+09:00",
"description": "Apache Camel provided by The Apache Software Foundation contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library.\r\n\r\nTakayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000027.html",
"sec:cpe": {
"#text": "cpe:/a:apache:camel",
"@product": "Apache Camel",
"@vendor": "Apache Software Foundation",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"@version": "2.0"
},
{
"@score": "5.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2019-000027",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN71498764/index.html",
"@id": "JVN#71498764",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0188",
"@id": "CVE-2019-0188",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-0188",
"@id": "CVE-2019-0188",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Apache Camel vulnerable to XML external entity injection (XXE)"
}