cve-2025-30177
Vulnerability from cvelistv5
Published
2025-04-01 11:56
Modified
2025-04-01 18:42
Severity ?
EPSS score ?
Summary
Apache Camel: Camel-Undertow Message Header Injection via Improper Filtering
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://camel.apache.org/security/CVE-2025-27636.html | Not Applicable | |
| security@apache.org | https://camel.apache.org/security/CVE-2025-29891.html | Not Applicable | |
| security@apache.org | https://lists.apache.org/thread/dj79zdgw01j337lr9gvyy4sv8xfyw8py | Mailing List, Vendor Advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Camel |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-30177",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T18:40:10.405496Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T18:42:45.532Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.camel:camel-undertow",
"product": "Apache Camel",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.10.3",
"status": "affected",
"version": "4.10.0",
"versionType": "semver"
},
{
"lessThan": "4.8.6",
"status": "affected",
"version": "4.8.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mark Thorson of AT\u0026T"
},
{
"lang": "en",
"type": "reporter",
"value": "Mark Thorson of AT\u0026T"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eBypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6.\u003c/p\u003eUsers are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eCamel undertow component is vulnerable to Camel message header injection, in particular the custom header filter strategy used by the component only filter the \"out\" direction, while it doesn\u0027t filter the \"in\" direction.\u003c/div\u003e\u003cbr\u003eThis allows an attacker to include Camel specific headers that for some Camel components can alter the behaviour such as the camel-bean component, or the camel-exec component.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions.\n\nThis issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6.\n\nUsers are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS.\n\nCamel undertow component is vulnerable to Camel message header injection, in particular the custom header filter strategy used by the component only filter the \"out\" direction, while it doesn\u0027t filter the \"in\" direction.\n\n\nThis allows an attacker to include Camel specific headers that for some Camel components can alter the behaviour such as the camel-bean component, or the camel-exec component."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Bypass/Injection",
"lang": "en"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-164",
"description": "CWE-164 Improper Neutralization of Internal Special Elements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T11:56:30.484Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"related"
],
"url": "https://camel.apache.org/security/CVE-2025-27636.html"
},
{
"tags": [
"related"
],
"url": "https://camel.apache.org/security/CVE-2025-29891.html"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/dj79zdgw01j337lr9gvyy4sv8xfyw8py"
}
],
"source": {
"defect": [
"CAMEL-21876"
],
"discovery": "UNKNOWN"
},
"title": "Apache Camel: Camel-Undertow Message Header Injection via Improper Filtering",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-30177",
"datePublished": "2025-04-01T11:56:30.484Z",
"dateReserved": "2025-03-17T14:21:01.706Z",
"dateUpdated": "2025-04-01T18:42:45.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-30177\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2025-04-01T12:15:15.747\",\"lastModified\":\"2025-04-15T13:00:12.587\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions.\\n\\nThis issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6.\\n\\nUsers are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS.\\n\\nCamel undertow component is vulnerable to Camel message header injection, in particular the custom header filter strategy used by the component only filter the \\\"out\\\" direction, while it doesn\u0027t filter the \\\"in\\\" direction.\\n\\n\\nThis allows an attacker to include Camel specific headers that for some Camel components can alter the behaviour such as the camel-bean component, or the camel-exec component.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de omisi\u00f3n/inyecci\u00f3n en Apache Camel en el componente Camel-Undertow bajo ciertas condiciones. Este problema afecta a Apache Camel: de la versi\u00f3n 4.10.0 a la 4.10.3, y de la versi\u00f3n 4.8.0 a la 4.8.6. Se recomienda a los usuarios actualizar a la versi\u00f3n 4.10.3 para la versi\u00f3n 4.10.x LTS y a la 4.8.6 para la versi\u00f3n 4.8.x LTS. El componente Camel Undertow es vulnerable a la inyecci\u00f3n de encabezados de mensajes de Camel; en particular, la estrategia de filtrado de encabezados personalizada que utiliza el componente solo filtra la direcci\u00f3n de salida, pero no la de entrada. Esto permite a un atacante incluir encabezados espec\u00edficos de Camel que, en algunos componentes de Camel, pueden alterar el comportamiento, como los componentes camel-bean o camel-exec.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-164\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.8.0\",\"versionEndExcluding\":\"4.8.6\",\"matchCriteriaId\":\"D9FD8755-3AFF-46F8-A830-FD0BF04B5DB8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.10.0\",\"versionEndExcluding\":\"4.10.3\",\"matchCriteriaId\":\"874BB2C0-D562-4EC9-A839-BAEED574AD41\"}]}]}],\"references\":[{\"url\":\"https://camel.apache.org/security/CVE-2025-27636.html\",\"source\":\"security@apache.org\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://camel.apache.org/security/CVE-2025-29891.html\",\"source\":\"security@apache.org\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://lists.apache.org/thread/dj79zdgw01j337lr9gvyy4sv8xfyw8py\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.