[
https://issues.apache.org/jira/browse/CAMEL-21880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17936491#comment-17936491
]
Andrea Cosentino commented on CAMEL-21880:
------------------------------------------
This is a good description of the CVE
https://www.akamai.com/blog/security-research/march-apache-camel-vulnerability-detections-and-mitigations
In my opinion, we can add a lowerCase option, but not for the CVE, because it's
not the case described.
> camel-kafka - add lowerCase to header filter strategy
> -----------------------------------------------------
>
> Key: CAMEL-21880
> URL: https://issues.apache.org/jira/browse/CAMEL-21880
> Project: Camel
> Issue Type: Improvement
> Components: camel-kafka
> Affects Versions: 3.22.3, 4.10.2
> Reporter: Jens Kordowski
> Priority: Major
>
> Due to [https://www.cve.org/CVERecord?id=CVE-2025-27636] the following
> extension has been implemented:
> https://issues.apache.org/jira/browse/CAMEL-21828
> This has an effect on
> [https://github.com/apache/camel/blob/main/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpHeaderFilterStrategy.java]
> as it sets lowerCase to true. The same is not true for
> [https://github.com/apache/camel/blob/main/components/camel-kafka/src/main/java/org/apache/camel/component/kafka/KafkaHeaderFilterStrategy.java]
> Very old implementations of the same
> ([https://github.com/apache/camel/blob/camel-2.25.4/components/camel-kafka/src/main/java/org/apache/camel/component/kafka/KafkaHeaderFilterStrategy.java])
> were using patterns, which were explicitly marked case-insensitive and this
> changed thereafter. Following this recent CVE and the changes, I assume this
> was not desired, hence I marked it as bug.
>
> There might be other header filter strategies out there that do not set
> lowerCase to true.
>
> Best regards
> Jens
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
