[jira] [Comment Edited] (CAMEL-21880) camel-kafka - header filter strategy

Wed, 19 Mar 2025 00:03:57 -0700 


    [ 
https://issues.apache.org/jira/browse/CAMEL-21880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17936466#comment-17936466
 ] 

Andrea Cosentino edited comment on CAMEL-21880 at 3/18/25 11:56 AM:
--------------------------------------------------------------------

The CVE has nothing to do with that. That CVE only exists in case you're using 
the HTTP endpoint as consumer for Jetty, Netty-http, servlet, platform-http and 
HTTP. It's not the case for other component. We are talking about different 
things and Camel 3.x won't have any new release.


was (Author: ancosen):
The CVE has nothing to do with that. That CVE only exists in case you're using 
the HTTP endpoint as consumer for Jetty, Netty-http, servlet, platfor-http and 
HTTP. It's not the case for other component. We are talking about different 
things and Camel 3.x won't have any new release.

> camel-kafka - header filter strategy
> ------------------------------------
>
>                 Key: CAMEL-21880
>                 URL: https://issues.apache.org/jira/browse/CAMEL-21880
>             Project: Camel
>          Issue Type: Bug
>          Components: camel-kafka
>    Affects Versions: 3.22.3, 4.10.2
>            Reporter: Jens Kordowski
>            Priority: Major
>
> Due to [https://www.cve.org/CVERecord?id=CVE-2025-27636] the following 
> extension has been implemented: 
> https://issues.apache.org/jira/browse/CAMEL-21828
> This has an effect on 
> [https://github.com/apache/camel/blob/main/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpHeaderFilterStrategy.java]
>  as it sets lowerCase to true. The same is not true for 
> [https://github.com/apache/camel/blob/main/components/camel-kafka/src/main/java/org/apache/camel/component/kafka/KafkaHeaderFilterStrategy.java]
> Very old implementations of the same 
> ([https://github.com/apache/camel/blob/camel-2.25.4/components/camel-kafka/src/main/java/org/apache/camel/component/kafka/KafkaHeaderFilterStrategy.java])
>  were using patterns, which were explicitly marked case-insensitive and this 
> changed thereafter. Following this recent CVE and the changes, I assume this 
> was not desired, hence I marked it as bug.
>  
> There might be other header filter strategies out there that do not set 
> lowerCase to true.
>  
> Best regards
> Jens



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to