cvelistv5 - cve-2025-27636

cve-2025-27636

Vulnerability from cvelistv5

Published

2025-03-09 12:09

Modified

2025-03-17 14:42

Severity ?

Summary

Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method on the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send the message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component The attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests that are send to the Camel application. All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box. In these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean. In terms of usage of the default header filter strategy the list of components using that is: * camel-activemq * camel-activemq6 * camel-amqp * camel-aws2-sqs * camel-azure-servicebus * camel-cxf-rest * camel-cxf-soap * camel-http * camel-jetty * camel-jms * camel-kafka * camel-knative * camel-mail * camel-nats * camel-netty-http * camel-platform-http * camel-rest * camel-sjms * camel-spring-rabbitmq * camel-stomp * camel-tahu * camel-undertow * camel-xmpp The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with "Camel", "camel", or "org.apache.camel.". Mitigation: You can easily work around this in your Camel applications by removing the headers in your Camel routes. There are many ways of doing this, also globally or per route. This means you could use the removeHeaders EIP, to filter out anything like "cAmel, cAMEL" etc, or in general everything not starting with "Camel", "camel" or "org.apache.camel.".

References

▼	URL	Tags
	security@apache.org	https://camel.apache.org/security/CVE-2025-27636.html
	security@apache.org	https://issues.apache.org/jira/browse/CAMEL-21828
	security@apache.org	https://lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw610y693z
	af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2025/03/09/1
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://camel.apache.org/security/CVE-2025-27636.txt.asc
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC/blob/main/src/main/java/com/example/camel/VulnerableCamel.java

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Camel	Version: 4.10.0 ≤ Version: 4.8.0 ≤ Version: 3.10.0 ≤

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2025-03-09T17:02:21.478Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  url: "http://www.openwall.com/lists/oss-security/2025/03/09/1",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  cvssV3_1: {
                     attackComplexity: "HIGH",
                     attackVector: "NETWORK",
                     availabilityImpact: "LOW",
                     baseScore: 5.6,
                     baseSeverity: "MEDIUM",
                     confidentialityImpact: "LOW",
                     integrityImpact: "LOW",
                     privilegesRequired: "NONE",
                     scope: "UNCHANGED",
                     userInteraction: "NONE",
                     vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
                     version: "3.1",
                  },
               },
               {
                  other: {
                     content: {
                        id: "CVE-2025-27636",
                        options: [
                           {
                              Exploitation: "poc",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-03-10T18:51:57.713279Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            problemTypes: [
               {
                  descriptions: [
                     {
                        cweId: "CWE-178",
                        description: "CWE-178 Improper Handling of Case Sensitivity",
                        lang: "en",
                        type: "CWE",
                     },
                  ],
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-03-10T18:56:43.452Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            references: [
               {
                  tags: [
                     "exploit",
                  ],
                  url: "https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC/blob/main/src/main/java/com/example/camel/VulnerableCamel.java",
               },
               {
                  tags: [
                     "vendor-advisory",
                  ],
                  url: "https://camel.apache.org/security/CVE-2025-27636.txt.asc",
               },
            ],
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               collectionURL: "https://repo.maven.apache.org/maven2",
               defaultStatus: "unaffected",
               packageName: "org.apache.camel:camel",
               product: "Apache Camel",
               vendor: "Apache Software Foundation",
               versions: [
                  {
                     lessThan: "4.10.2",
                     status: "affected",
                     version: "4.10.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "4.8.5",
                     status: "affected",
                     version: "4.8.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "3.22.4",
                     status: "affected",
                     version: "3.10.0",
                     versionType: "semver",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "finder",
               value: "Mark Thorson",
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<p>Bypass/Injection vulnerability in Apache Camel components under particular conditions.</p><p>This issue affects Apache Camel: from 4.10.0 through &lt;= 4.10.1, from 4.8.0 through &lt;= 4.8.4, from 3.10.0 through &lt;= 3.22.3.</p><p>Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.</p><div></div><div>This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific</div><div>headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method</div><div>on the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send</div><div>the message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component</div><div><br></div><div>The attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are</div><div>directly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests</div><div>that are send to the Camel application.</div><div><br></div>All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.<br><br>In these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.<br><br><div>In terms of usage of the default header filter strategy the list of components using that is: <br></div><div><div><ul><li>camel-activemq</li><li>camel-activemq6</li><li>camel-amqp</li><li>camel-aws2-sqs</li><li>camel-azure-servicebus</li><li>camel-cxf-rest</li><li>camel-cxf-soap</li><li>camel-http</li><li>camel-jetty</li><li>camel-jms</li><li>camel-kafka</li><li>camel-knative</li><li>camel-mail</li><li>camel-nats</li><li>camel-netty-http</li><li>camel-platform-http</li><li>camel-rest</li><li>camel-sjms</li><li>camel-spring-rabbitmq</li><li>camel-stomp</li><li>camel-tahu</li><li>camel-undertow</li><li>camel-xmpp</li></ul></div></div><div>The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with \"Camel\", \"camel\", or \"org.apache.camel.\".&nbsp;</div><br><div><span style=\"background-color: var(--wht);\">Mitigation:&nbsp;</span>You can easily work around this in your Camel applications by removing the&nbsp;headers in your Camel routes. There are many ways of doing this, also&nbsp;globally or per route. This means you could use the removeHeaders EIP, to filter out anything like \"cAmel, cAMEL\" etc, or in general everything not starting with \"Camel\", \"camel\" or \"org.apache.camel.\".&nbsp;<br></div><br>",
                  },
               ],
               value: "Bypass/Injection vulnerability in Apache Camel components under particular conditions.\n\nThis issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.\n\nUsers are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.\n\n\n\nThis vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific\n\nheaders that for some Camel components can alter the behaviours such as the camel-bean component, to call another method\n\non the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send\n\nthe message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component\n\n\n\n\nThe attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are\n\ndirectly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests\n\nthat are send to the Camel application.\n\n\n\n\nAll the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.\n\nIn these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.\n\nIn terms of usage of the default header filter strategy the list of components using that is: \n\n\n  *  camel-activemq\n  *  camel-activemq6\n  *  camel-amqp\n  *  camel-aws2-sqs\n  *  camel-azure-servicebus\n  *  camel-cxf-rest\n  *  camel-cxf-soap\n  *  camel-http\n  *  camel-jetty\n  *  camel-jms\n  *  camel-kafka\n  *  camel-knative\n  *  camel-mail\n  *  camel-nats\n  *  camel-netty-http\n  *  camel-platform-http\n  *  camel-rest\n  *  camel-sjms\n  *  camel-spring-rabbitmq\n  *  camel-stomp\n  *  camel-tahu\n  *  camel-undertow\n  *  camel-xmpp\n\n\n\n\n\n\nThe vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with \"Camel\", \"camel\", or \"org.apache.camel.\". \n\n\nMitigation: You can easily work around this in your Camel applications by removing the headers in your Camel routes. There are many ways of doing this, also globally or per route. This means you could use the removeHeaders EIP, to filter out anything like \"cAmel, cAMEL\" etc, or in general everything not starting with \"Camel\", \"camel\" or \"org.apache.camel.\".",
            },
         ],
         metrics: [
            {
               other: {
                  content: {
                     text: "moderate",
                  },
                  type: "Textual description of severity",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "Bypass/Injection",
                     lang: "en",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2025-03-17T14:42:57.795Z",
            orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            shortName: "apache",
         },
         references: [
            {
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw610y693z",
            },
            {
               tags: [
                  "issue-tracking",
               ],
               url: "https://issues.apache.org/jira/browse/CAMEL-21828",
            },
            {
               tags: [
                  "vendor-advisory",
               ],
               url: "https://camel.apache.org/security/CVE-2025-27636.html",
            },
         ],
         source: {
            defect: [
               "CAMEL-21828",
            ],
            discovery: "UNKNOWN",
         },
         title: "Apache Camel: Camel Message Header Injection via Improper Filtering",
         x_generator: {
            engine: "Vulnogram 0.2.0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
      assignerShortName: "apache",
      cveId: "CVE-2025-27636",
      datePublished: "2025-03-09T12:09:58.619Z",
      dateReserved: "2025-03-04T11:56:29.254Z",
      dateUpdated: "2025-03-17T14:42:57.795Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2025-27636\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2025-03-09T13:15:34.403\",\"lastModified\":\"2025-03-17T15:15:44.750\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Bypass/Injection vulnerability in Apache Camel components under particular conditions.\\n\\nThis issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.\\n\\nUsers are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.\\n\\n\\n\\nThis vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific\\n\\nheaders that for some Camel components can alter the behaviours such as the camel-bean component, to call another method\\n\\non the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send\\n\\nthe message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component\\n\\n\\n\\n\\nThe attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are\\n\\ndirectly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests\\n\\nthat are send to the Camel application.\\n\\n\\n\\n\\nAll the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.\\n\\nIn these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.\\n\\nIn terms of usage of the default header filter strategy the list of components using that is: \\n\\n\\n  *  camel-activemq\\n  *  camel-activemq6\\n  *  camel-amqp\\n  *  camel-aws2-sqs\\n  *  camel-azure-servicebus\\n  *  camel-cxf-rest\\n  *  camel-cxf-soap\\n  *  camel-http\\n  *  camel-jetty\\n  *  camel-jms\\n  *  camel-kafka\\n  *  camel-knative\\n  *  camel-mail\\n  *  camel-nats\\n  *  camel-netty-http\\n  *  camel-platform-http\\n  *  camel-rest\\n  *  camel-sjms\\n  *  camel-spring-rabbitmq\\n  *  camel-stomp\\n  *  camel-tahu\\n  *  camel-undertow\\n  *  camel-xmpp\\n\\n\\n\\n\\n\\n\\nThe vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with \\\"Camel\\\", \\\"camel\\\", or \\\"org.apache.camel.\\\". \\n\\n\\nMitigation: You can easily work around this in your Camel applications by removing the headers in your Camel routes. There are many ways of doing this, also globally or per route. This means you could use the removeHeaders EIP, to filter out anything like \\\"cAmel, cAMEL\\\" etc, or in general everything not starting with \\\"Camel\\\", \\\"camel\\\" or \\\"org.apache.camel.\\\".\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de bypass/inyección en el componente Apache Camel-Bean en determinadas condiciones. Este problema afecta a Apache Camel: desde la versión 4.10.0 hasta la &lt;= 4.10.1, desde la versión 4.8.0 hasta la &lt;= 4.8.4, desde la versión 3.10.0 hasta la &lt;= 3.22.3. Se recomienda a los usuarios que actualicen a la versión 4.10.2 para 4.10.x LTS, 4.8.5 para 4.8.x LTS y 3.22.4 para las versiones 3.x. Esta vulnerabilidad solo está presente en la siguiente situación. El usuario está utilizando uno de los siguientes servidores HTTP a través de uno de los siguientes componentes Camel * camel-servlet * camel-jetty * camel-undertow * camel-platform-http * camel-netty-http y en la ruta, el intercambio se enrutará a un productor de camel-bean. Por lo tanto, SOLO el componente camel-bean está afectado. En particular: * La invocación del bean (solo se ve afectada si usas cualquiera de los anteriores junto con el componente camel-bean). * El bean que se puede llamar tiene más de 1 método implementado. En estas condiciones, un atacante podría falsificar un nombre de encabezado de Camel y hacer que el componente bean invoque otros métodos en el mismo bean. La vulnerabilidad surge debido a un error en el mecanismo de filtrado predeterminado que solo bloquea los encabezados que comienzan con \\\"Camel\\\", \\\"camel\\\" u \\\"org.apache.camel\\\". Mitigación: puedes solucionar esto fácilmente en tus aplicaciones Camel eliminando los encabezados en tus rutas Camel. Hay muchas formas de hacer esto, también globalmente o por ruta. Esto significa que puedes usar el EIP removeHeaders para filtrar cualquier cosa como \\\"cAmel, cAMEL\\\", etc., o en general todo lo que no comience con \\\"Camel\\\", \\\"camel\\\" u \\\"org.apache.camel\\\".\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":5.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-178\"}]}],\"references\":[{\"url\":\"https://camel.apache.org/security/CVE-2025-27636.html\",\"source\":\"security@apache.org\"},{\"url\":\"https://issues.apache.org/jira/browse/CAMEL-21828\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw610y693z\",\"source\":\"security@apache.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/03/09/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://camel.apache.org/security/CVE-2025-27636.txt.asc\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"},{\"url\":\"https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC/blob/main/src/main/java/com/example/camel/VulnerableCamel.java\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/03/09/1\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-03-09T17:02:21.478Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-27636\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-10T18:51:57.713279Z\"}}}], \"references\": [{\"url\": \"https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC/blob/main/src/main/java/com/example/camel/VulnerableCamel.java\", \"tags\": [\"exploit\"]}, {\"url\": \"https://camel.apache.org/security/CVE-2025-27636.txt.asc\", \"tags\": [\"vendor-advisory\"]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-178\", \"description\": \"CWE-178 Improper Handling of Case Sensitivity\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-10T18:51:42.884Z\"}}], \"cna\": {\"title\": \"Apache Camel: Camel Message Header Injection via Improper Filtering\", \"source\": {\"defect\": [\"CAMEL-21828\"], \"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Mark Thorson\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"moderate\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Camel\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.10.0\", \"lessThan\": \"4.10.2\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"4.8.0\", \"lessThan\": \"4.8.5\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.10.0\", \"lessThan\": \"3.22.4\", \"versionType\": \"semver\"}], \"packageName\": \"org.apache.camel:camel\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw610y693z\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://issues.apache.org/jira/browse/CAMEL-21828\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://camel.apache.org/security/CVE-2025-27636.html\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Bypass/Injection vulnerability in Apache Camel components under particular conditions.\\n\\nThis issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.\\n\\nUsers are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.\\n\\n\\n\\nThis vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific\\n\\nheaders that for some Camel components can alter the behaviours such as the camel-bean component, to call another method\\n\\non the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send\\n\\nthe message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component\\n\\n\\n\\n\\nThe attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are\\n\\ndirectly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests\\n\\nthat are send to the Camel application.\\n\\n\\n\\n\\nAll the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.\\n\\nIn these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.\\n\\nIn terms of usage of the default header filter strategy the list of components using that is: \\n\\n\\n  *  camel-activemq\\n  *  camel-activemq6\\n  *  camel-amqp\\n  *  camel-aws2-sqs\\n  *  camel-azure-servicebus\\n  *  camel-cxf-rest\\n  *  camel-cxf-soap\\n  *  camel-http\\n  *  camel-jetty\\n  *  camel-jms\\n  *  camel-kafka\\n  *  camel-knative\\n  *  camel-mail\\n  *  camel-nats\\n  *  camel-netty-http\\n  *  camel-platform-http\\n  *  camel-rest\\n  *  camel-sjms\\n  *  camel-spring-rabbitmq\\n  *  camel-stomp\\n  *  camel-tahu\\n  *  camel-undertow\\n  *  camel-xmpp\\n\\n\\n\\n\\n\\n\\nThe vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with \\\"Camel\\\", \\\"camel\\\", or \\\"org.apache.camel.\\\".\\u00a0\\n\\n\\nMitigation:\\u00a0You can easily work around this in your Camel applications by removing the\\u00a0headers in your Camel routes. There are many ways of doing this, also\\u00a0globally or per route. This means you could use the removeHeaders EIP, to filter out anything like \\\"cAmel, cAMEL\\\" etc, or in general everything not starting with \\\"Camel\\\", \\\"camel\\\" or \\\"org.apache.camel.\\\".\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"<p>Bypass/Injection vulnerability in Apache Camel components under particular conditions.</p><p>This issue affects Apache Camel: from 4.10.0 through &lt;= 4.10.1, from 4.8.0 through &lt;= 4.8.4, from 3.10.0 through &lt;= 3.22.3.</p><p>Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.</p><div></div><div>This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific</div><div>headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method</div><div>on the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send</div><div>the message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component</div><div><br></div><div>The attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are</div><div>directly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests</div><div>that are send to the Camel application.</div><div><br></div>All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.<br><br>In these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.<br><br><div>In terms of usage of the default header filter strategy the list of components using that is: <br></div><div><div><ul><li>camel-activemq</li><li>camel-activemq6</li><li>camel-amqp</li><li>camel-aws2-sqs</li><li>camel-azure-servicebus</li><li>camel-cxf-rest</li><li>camel-cxf-soap</li><li>camel-http</li><li>camel-jetty</li><li>camel-jms</li><li>camel-kafka</li><li>camel-knative</li><li>camel-mail</li><li>camel-nats</li><li>camel-netty-http</li><li>camel-platform-http</li><li>camel-rest</li><li>camel-sjms</li><li>camel-spring-rabbitmq</li><li>camel-stomp</li><li>camel-tahu</li><li>camel-undertow</li><li>camel-xmpp</li></ul></div></div><div>The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with \\\"Camel\\\", \\\"camel\\\", or \\\"org.apache.camel.\\\".&nbsp;</div><br><div><span style=\\\"background-color: var(--wht);\\\">Mitigation:&nbsp;</span>You can easily work around this in your Camel applications by removing the&nbsp;headers in your Camel routes. There are many ways of doing this, also&nbsp;globally or per route. This means you could use the removeHeaders EIP, to filter out anything like \\\"cAmel, cAMEL\\\" etc, or in general everything not starting with \\\"Camel\\\", \\\"camel\\\" or \\\"org.apache.camel.\\\".&nbsp;<br></div><br>\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"Bypass/Injection\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2025-03-17T14:42:57.795Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2025-27636\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-17T14:42:57.795Z\", \"dateReserved\": \"2025-03-04T11:56:29.254Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2025-03-09T12:09:58.619Z\", \"assignerShortName\": \"apache\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}

ghsa-2c2h-2855-mf97

Vulnerability from github

Published

2025-03-09 15:31

Modified

2025-03-25 18:38

Severity ?

6.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Summary

Apache Camel: Camel Message Header Injection via Improper Filtering

Details

Bypass/Injection vulnerability in Apache Camel components under particular conditions.

This issue affects Apache Camel: from 4.9.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.

Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.

This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method on the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send the message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component.

The attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests that are send to the Camel application.

All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.

In these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.

In terms of usage of the default header filter strategy the list of components using that is:

camel-activemq
camel-activemq6
camel-amqp
camel-aws2-sqs
camel-azure-servicebus
camel-cxf-rest
camel-cxf-soap
camel-http
camel-jetty
camel-jms
camel-kafka
camel-knative
camel-mail
camel-nats
camel-netty-http
camel-platform-http
camel-rest
camel-sjms
camel-spring-rabbitmq
camel-stomp
camel-tahu
camel-undertow
camel-xmpp

The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with "Camel", "camel", or "org.apache.camel.".

Mitigation: You can easily work around this in your Camel applications by removing the headers in your Camel routes. There are many ways of doing this, also globally or per route. This means you could use the removeHeaders EIP, to filter out anything like "cAmel, cAMEL" etc, or in general everything not starting with "Camel", "camel" or "org.apache.camel.".

Show details on source website

JSON

To clipboard

{
   affected: [
      {
         package: {
            ecosystem: "Maven",
            name: "org.apache.camel:camel-support",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "3.10.0",
                  },
                  {
                     fixed: "3.22.4",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
      },
      {
         package: {
            ecosystem: "Maven",
            name: "org.apache.camel:camel-support",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "4.0.0-M1",
                  },
                  {
                     fixed: "4.8.5",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
      },
      {
         package: {
            ecosystem: "Maven",
            name: "org.apache.camel:camel-support",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "4.9.0",
                  },
                  {
                     fixed: "4.10.2",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
      },
   ],
   aliases: [
      "CVE-2025-27636",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-178",
      ],
      github_reviewed: true,
      github_reviewed_at: "2025-03-10T20:49:46Z",
      nvd_published_at: "2025-03-09T13:15:34Z",
      severity: "MODERATE",
   },
   details: "Bypass/Injection vulnerability in Apache Camel components under particular conditions.\n\nThis issue affects Apache Camel: from 4.9.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.\n\nUsers are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.\n\nThis vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method on the bean, than was coded in the application. In the `camel-jms` component, then a malicious header can be used to send the message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component.\n\nThe attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests that are send to the Camel application.\n\nAll the known Camel HTTP component such as `camel-servlet`, `camel-jetty`, `camel-undertow`, `camel-platform-http`, and `camel-netty-http` would be vulnerable out of the box.\n\nIn these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.\n\nIn terms of usage of the default header filter strategy the list of components using that is: \n\n  *  camel-activemq\n  *  camel-activemq6\n  *  camel-amqp\n  *  camel-aws2-sqs\n  *  camel-azure-servicebus\n  *  camel-cxf-rest\n  *  camel-cxf-soap\n  *  camel-http\n  *  camel-jetty\n  *  camel-jms\n  *  camel-kafka\n  *  camel-knative\n  *  camel-mail\n  *  camel-nats\n  *  camel-netty-http\n  *  camel-platform-http\n  *  camel-rest\n  *  camel-sjms\n  *  camel-spring-rabbitmq\n  *  camel-stomp\n  *  camel-tahu\n  *  camel-undertow\n  *  camel-xmpp\n\nThe vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with \"Camel\", \"camel\", or \"org.apache.camel.\". \n\nMitigation: You can easily work around this in your Camel applications by removing the headers in your Camel routes. There are many ways of doing this, also globally or per route. This means you could use the removeHeaders EIP, to filter out anything like \"cAmel, cAMEL\" etc, or in general everything not starting with \"Camel\", \"camel\" or \"org.apache.camel.\".",
   id: "GHSA-2c2h-2855-mf97",
   modified: "2025-03-25T18:38:07Z",
   published: "2025-03-09T15:31:19Z",
   references: [
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2025-27636",
      },
      {
         type: "WEB",
         url: "https://github.com/apache/camel/commit/23a833eec6131a3cdce6e4b1b40b3ac2035b6adf",
      },
      {
         type: "WEB",
         url: "https://github.com/apache/camel/commit/45a6b74f7f8af8fd58f197566938a9534392a624",
      },
      {
         type: "WEB",
         url: "https://camel.apache.org/security/CVE-2025-27636.html",
      },
      {
         type: "WEB",
         url: "https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC/blob/main/src/main/java/com/example/camel/VulnerableCamel.java",
      },
      {
         type: "PACKAGE",
         url: "https://github.com/apache/camel",
      },
      {
         type: "WEB",
         url: "https://github.com/apache/camel/blob/camel-4.9.0/core/camel-support/src/main/java/org/apache/camel/support/DefaultHeaderFilterStrategy.java",
      },
      {
         type: "WEB",
         url: "https://issues.apache.org/jira/browse/CAMEL-21828",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw610y693z",
      },
      {
         type: "WEB",
         url: "http://www.openwall.com/lists/oss-security/2025/03/09/1",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
         type: "CVSS_V4",
      },
   ],
   summary: "Apache Camel: Camel Message Header Injection via Improper Filtering",
}

fkie_cve-2025-27636

Vulnerability from fkie_nvd

Published

2025-03-09 13:15

Modified

2025-03-17 15:15

Severity ?

5.6 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Summary

References

▼	URL	Tags
	security@apache.org	https://camel.apache.org/security/CVE-2025-27636.html
	security@apache.org	https://issues.apache.org/jira/browse/CAMEL-21828
	security@apache.org	https://lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw610y693z
	af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2025/03/09/1
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://camel.apache.org/security/CVE-2025-27636.txt.asc
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC/blob/main/src/main/java/com/example/camel/VulnerableCamel.java

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Bypass/Injection vulnerability in Apache Camel components under particular conditions.\n\nThis issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.\n\nUsers are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.\n\n\n\nThis vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific\n\nheaders that for some Camel components can alter the behaviours such as the camel-bean component, to call another method\n\non the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send\n\nthe message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component\n\n\n\n\nThe attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are\n\ndirectly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests\n\nthat are send to the Camel application.\n\n\n\n\nAll the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.\n\nIn these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.\n\nIn terms of usage of the default header filter strategy the list of components using that is: \n\n\n  *  camel-activemq\n  *  camel-activemq6\n  *  camel-amqp\n  *  camel-aws2-sqs\n  *  camel-azure-servicebus\n  *  camel-cxf-rest\n  *  camel-cxf-soap\n  *  camel-http\n  *  camel-jetty\n  *  camel-jms\n  *  camel-kafka\n  *  camel-knative\n  *  camel-mail\n  *  camel-nats\n  *  camel-netty-http\n  *  camel-platform-http\n  *  camel-rest\n  *  camel-sjms\n  *  camel-spring-rabbitmq\n  *  camel-stomp\n  *  camel-tahu\n  *  camel-undertow\n  *  camel-xmpp\n\n\n\n\n\n\nThe vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with \"Camel\", \"camel\", or \"org.apache.camel.\". \n\n\nMitigation: You can easily work around this in your Camel applications by removing the headers in your Camel routes. There are many ways of doing this, also globally or per route. This means you could use the removeHeaders EIP, to filter out anything like \"cAmel, cAMEL\" etc, or in general everything not starting with \"Camel\", \"camel\" or \"org.apache.camel.\".",
      },
      {
         lang: "es",
         value: "Vulnerabilidad de bypass/inyección en el componente Apache Camel-Bean en determinadas condiciones. Este problema afecta a Apache Camel: desde la versión 4.10.0 hasta la &lt;= 4.10.1, desde la versión 4.8.0 hasta la &lt;= 4.8.4, desde la versión 3.10.0 hasta la &lt;= 3.22.3. Se recomienda a los usuarios que actualicen a la versión 4.10.2 para 4.10.x LTS, 4.8.5 para 4.8.x LTS y 3.22.4 para las versiones 3.x. Esta vulnerabilidad solo está presente en la siguiente situación. El usuario está utilizando uno de los siguientes servidores HTTP a través de uno de los siguientes componentes Camel * camel-servlet * camel-jetty * camel-undertow * camel-platform-http * camel-netty-http y en la ruta, el intercambio se enrutará a un productor de camel-bean. Por lo tanto, SOLO el componente camel-bean está afectado. En particular: * La invocación del bean (solo se ve afectada si usas cualquiera de los anteriores junto con el componente camel-bean). * El bean que se puede llamar tiene más de 1 método implementado. En estas condiciones, un atacante podría falsificar un nombre de encabezado de Camel y hacer que el componente bean invoque otros métodos en el mismo bean. La vulnerabilidad surge debido a un error en el mecanismo de filtrado predeterminado que solo bloquea los encabezados que comienzan con \"Camel\", \"camel\" u \"org.apache.camel\". Mitigación: puedes solucionar esto fácilmente en tus aplicaciones Camel eliminando los encabezados en tus rutas Camel. Hay muchas formas de hacer esto, también globalmente o por ruta. Esto significa que puedes usar el EIP removeHeaders para filtrar cualquier cosa como \"cAmel, cAMEL\", etc., o en general todo lo que no comience con \"Camel\", \"camel\" u \"org.apache.camel\".",
      },
   ],
   id: "CVE-2025-27636",
   lastModified: "2025-03-17T15:15:44.750",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "NETWORK",
               availabilityImpact: "LOW",
               baseScore: 5.6,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
               version: "3.1",
            },
            exploitabilityScore: 2.2,
            impactScore: 3.4,
            source: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
            type: "Secondary",
         },
      ],
   },
   published: "2025-03-09T13:15:34.403",
   references: [
      {
         source: "security@apache.org",
         url: "https://camel.apache.org/security/CVE-2025-27636.html",
      },
      {
         source: "security@apache.org",
         url: "https://issues.apache.org/jira/browse/CAMEL-21828",
      },
      {
         source: "security@apache.org",
         url: "https://lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw610y693z",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "http://www.openwall.com/lists/oss-security/2025/03/09/1",
      },
      {
         source: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
         url: "https://camel.apache.org/security/CVE-2025-27636.txt.asc",
      },
      {
         source: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
         url: "https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC/blob/main/src/main/java/com/example/camel/VulnerableCamel.java",
      },
   ],
   sourceIdentifier: "security@apache.org",
   vulnStatus: "Awaiting Analysis",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-178",
            },
         ],
         source: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
         type: "Secondary",
      },
   ],
}

rhsa-2025:3091

Vulnerability from csaf_redhat

Published

2025-03-20 15:47

Modified

2025-03-20 17:02

Summary

Red Hat Security Advisory: Red Hat Build of Apache Camel 4.8 for Quarkus 3.15 update is now available (RHBQ 3.15.3.SP2)

Notes

Topic

An update for Red Hat Build of Apache Camel 4.8 for Quarkus 3.15 update is now available (RHBQ 3.15.3.SP2). The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products. Red Hat Product Security has rated this update as having a security impact of Moderate.

Details

An update for Red Hat Build of Apache Camel 4.8 for Quarkus 3.15 update is now available (RHBQ 3.15.3.SP2). The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products: * org.apache.camel/camel-http-base: bypass of header filters via specially crafted response (CVE-2025-27636) * org.apache.camel/camel-http: bypass of header filters via specially crafted response (CVE-2025-27636)

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Moderate",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "An update for Red Hat Build of Apache Camel 4.8 for Quarkus 3.15 update is now available (RHBQ 3.15.3.SP2).\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.\nRed Hat Product Security has rated this update as having a security impact of Moderate.",
            title: "Topic",
         },
         {
            category: "general",
            text: "An update for Red Hat Build of Apache Camel 4.8 for Quarkus 3.15 update is now available (RHBQ 3.15.3.SP2).\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:\n* org.apache.camel/camel-http-base: bypass of header filters via specially crafted response (CVE-2025-27636)\n* org.apache.camel/camel-http: bypass of header filters via specially crafted response (CVE-2025-27636)",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2025:3091",
            url: "https://access.redhat.com/errata/RHSA-2025:3091",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#moderate",
            url: "https://access.redhat.com/security/updates/classification/#moderate",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/cve/CVE-2025-27636",
            url: "https://access.redhat.com/security/cve/CVE-2025-27636",
         },
         {
            category: "external",
            summary: "2350682",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2350682",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_3091.json",
         },
      ],
      title: "Red Hat Security Advisory: Red Hat Build of Apache Camel 4.8 for Quarkus 3.15 update is now available (RHBQ 3.15.3.SP2)",
      tracking: {
         current_release_date: "2025-03-20T17:02:25+00:00",
         generator: {
            date: "2025-03-20T17:02:25+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.4.1",
            },
         },
         id: "RHSA-2025:3091",
         initial_release_date: "2025-03-20T15:47:58+00:00",
         revision_history: [
            {
               date: "2025-03-20T15:47:58+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2025-03-20T15:47:58+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2025-03-20T17:02:25+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15",
                        product: {
                           name: "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15",
                           product_id: "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:camel_quarkus:3.15",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat Build of Apache Camel",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2025-27636",
         cwe: {
            id: "CWE-644",
            name: "Improper Neutralization of HTTP Headers for Scripting Syntax",
         },
         discovery_date: "2025-03-07T18:53:28.136000+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2350682",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A vulnerability was found in Apache Camel. This flaw allows an attacker to bypass filtering via a specially crafted request containing a certain combination of upper and lower case characters due to an issue in the default header filtering mechanism, which blocks headers starting with \"Camel\" or \"camel.\"",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "camel-http: org.apache.camel: bypass of header filters via specially crafted response",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "This vulnerability is rated as having Moderate impact because it can only be triggered under certain configurations and does not enable complete takeover of the system. In order to be vulnerable, a system using the Apache Camel Framework must specifically be using the camel-bean component as a producer and the exchange is coming from a http-based consumer, such as HTTP component or platform-http. If exploitation occurs, an attacker could call other methods on that bean already in the classpath, but not from other arbitrary java beans, System.getenv, nor part of JDK itself.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2025-27636",
            },
            {
               category: "external",
               summary: "RHBZ#2350682",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2350682",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2025-27636",
               url: "https://www.cve.org/CVERecord?id=CVE-2025-27636",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2025-27636",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2025-27636",
            },
            {
               category: "external",
               summary: "https://github.com/apache/camel/commit/781491b446921341f87a13824be4f7b5063776fc",
               url: "https://github.com/apache/camel/commit/781491b446921341f87a13824be4f7b5063776fc",
            },
            {
               category: "external",
               summary: "https://lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw610y693z",
               url: "https://lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw610y693z",
            },
         ],
         release_date: "2025-03-10T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2025-03-20T15:47:58+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2025:3091",
            },
            {
               category: "workaround",
               details: "Remove headers from your Camel routes; this can be accomplished in several ways, including globally or per route.",
               product_ids: [
                  "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  baseScore: 6.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                  version: "3.1",
               },
               products: [
                  "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "camel-http: org.apache.camel: bypass of header filters via specially crafted response",
      },
   ],
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2025-27636

Vulnerability from cvelistv5

ghsa-2c2h-2855-mf97

Vulnerability from github

fkie_cve-2025-27636

Vulnerability from fkie_nvd

rhsa-2025:3091

Vulnerability from csaf_redhat

Tags

Sightings

Nomenclature