This is an automated email from the ASF dual-hosted git repository.
acosentino pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git
The following commit(s) were added to refs/heads/main by this push:
new 06f33706 Added Security Advisory for CVE-2025-30177 (#1331)
06f33706 is described below
commit 06f33706b78dafe7e2568cbe85515e540ba35aee
Author: Andrea Cosentino <[email protected]>
AuthorDate: Tue Apr 1 12:15:45 2025 +0200
Added Security Advisory for CVE-2025-30177 (#1331)
Signed-off-by: Andrea Cosentino <[email protected]>
---
content/security/CVE-2025-30177.md | 18 ++++++++++++++++++
content/security/CVE-2025-30177.txt.asc | 32 ++++++++++++++++++++++++++++++++
2 files changed, 50 insertions(+)
diff --git a/content/security/CVE-2025-30177.md
b/content/security/CVE-2025-30177.md
new file mode 100644
index 00000000..2170dd87
--- /dev/null
+++ b/content/security/CVE-2025-30177.md
@@ -0,0 +1,18 @@
+---
+title: "Apache Camel Security Advisory - CVE-2025-30177"
+date: 2025-04-01T07:30:42+02:00
+url: /security/CVE-2025-30177.html
+draft: false
+type: security-advisory
+cve: CVE-2025-30177
+severity: MEDIUM
+summary: "Camel-Undertow Message Header Injection via Improper Filtering"
+description: "Camel undertow component is vulnerable to Camel message header
injection, in particular the custom header filter strategy used by the
component only filter the "out" direction, while it doesn't filter the "in"
direction.This allows an attacker to include Camel specific headers that for
some Camel components can alter the behaviours such as the camel-bean
component, or the camel-exec component."
+mitigation: "Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS
and 4.8.6 for 4.8.x LTS."
+credit: "This issue was discovered and reported by Mark Thorson of AT&T."
+affected: Apache Camel 4.10.0 before 4.10.3. Apache Camel 4.8.0 before 4.8.6.
+fixed: 4.8.6 and 4.10.3
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-21876 refers to
the commit that resolved the issue, and have more details.
+This CVE is related to the CVE-2025-27636 and CVE-2025-29891.
diff --git a/content/security/CVE-2025-30177.txt.asc
b/content/security/CVE-2025-30177.txt.asc
new file mode 100644
index 00000000..1a5b6d50
--- /dev/null
+++ b/content/security/CVE-2025-30177.txt.asc
@@ -0,0 +1,32 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2025-30177"
+date: 2025-04-01T07:30:42+02:00
+url: /security/CVE-2025-30177.html
+draft: false
+type: security-advisory
+cve: CVE-2025-30177
+severity: MEDIUM
+summary: "Camel-Undertow Message Header Injection via Improper Filtering"
+description: "Camel undertow component is vulnerable to Camel message header
injection, in particular the custom header filter strategy used by the
component only filter the "out" direction, while it doesn't filter the "in"
direction.This allows an attacker to include Camel specific headers that for
some Camel components can alter the behaviours such as the camel-bean
component, or the camel-exec component."
+mitigation: "Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS
and 4.8.6 for 4.8.x LTS."
+credit: "This issue was discovered and reported by Mark Thorson of AT&T."
+affected: Apache Camel 4.10.0 before 4.10.3. Apache Camel 4.8.0 before 4.8.6.
+fixed: 4.8.6 and 4.10.3
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-21876 refers to
the commit that resolved the issue, and have more details.
+This CVE is related to the CVE-2025-27636 and CVE-2025-29891.
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCAAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmfru8QACgkQ406fOAL/
+QQAUUwgAscNOr82n65rdFrPRISN4iNLPL8uDtUjBpfROgQBu2vRn6Uk/Me+tIRR4
+lPOP0k8kKwdkjsJB1RqrhvPWsVcLfBap9J22m91HTv/k7Ijz4nZqqJWIqV1sy2+T
+0DQP+vGFmxVnhE3ySizKVj38TW03jPdRE+FizTNWWm5T1ikKPITcy4MN2ChvjnN+
+R1uDdm7n0BwCmI+IeKlBI9ZZ2gXfNiwi3u8XXerv77t7PmNwT7m0ms559U7hmduO
+eIqsztK2ZBwghtMooXzsJIFyZnWliuh0Avbejt3Q8jMQ7T9fjJi2ZXYbkyflU1Yj
+nfZi/viGEpTzoBS3FaEtGbVGPnJUiw==
+=u83l
+-----END PGP SIGNATURE-----
