35547 matches found
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the filter process. An attacker can bypass intended security restrictions by supplying specially crafted argument headers that are not properly validated...
Allocation of Resources Without Limits or Throttling
Overview org.apache.iotdb:iotdb-server is a data management system for time series data, which can provide users specific services, such as, data collection, storage and analysis. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the JmsBinding.extractBodyFromJms process when handling JMS ObjectMessages with the mapJmsMessage option enabled. An attacker can inject arbitrary Exchange state by publishing a crafted ObjectMessage...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the JmsBinding.extractBodyFromJms process when handling JMS ObjectMessages with the mapJmsMessage option enabled. An attacker can inject arbitrary Exchange state by publishing a crafted ObjectMessage...
Information Exposure
Overview Affected versions of this package are vulnerable to Information Exposure in the logging process when the DEBUG loglevel is enabled. An attacker can access sensitive information, such as API keys or LLM response data, by reading log files generated under these conditions. This is only...
Information Exposure
Overview Affected versions of this package are vulnerable to Information Exposure in the logging process when the DEBUG loglevel is enabled. An attacker can access sensitive information, such as API keys or LLM response data, by reading log files generated under these conditions. This is only...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the JmsBinding.extractBodyFromJms process when handling JMS ObjectMessages with the mapJmsMessage option enabled. An attacker can inject arbitrary Exchange state by publishing a crafted ObjectMessage...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the JmsBinding.extractBodyFromJms process when handling JMS ObjectMessages with the mapJmsMessage option enabled. An attacker can inject arbitrary Exchange state by publishing a crafted ObjectMessage...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the JmsBinding.extractBodyFromJms process when handling JMS ObjectMessages with the mapJmsMessage option enabled. An attacker can inject arbitrary Exchange state by publishing a crafted ObjectMessage...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the JmsBinding.extractBodyFromJms process when handling JMS ObjectMessages with the mapJmsMessage option enabled. An attacker can inject arbitrary Exchange state by publishing a crafted ObjectMessage...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data through deserializeMetadata when it reads key metadata from AWS Secrets Manager. An attacker who can write the secret that holds the PQC key metadata can supply a crafted Base64-encoded Java serializati...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the default ObjectInputFilter. An attacker can trigger DNS-based information disclosure by sending a Java-serialized payload that deserializes into a collection such as HashMap containing...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the default ObjectInputFilter. An attacker can trigger DNS-based information disclosure by sending a Java-serialized payload that deserializes into a collection such as HashMap containing...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the default ObjectInputFilter. An attacker can trigger DNS-based information disclosure by sending a Java-serialized payload that deserializes into a collection such as HashMap containing...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the default ObjectInputFilter. An attacker can trigger DNS-based information disclosure by sending a Java-serialized payload that deserializes into a collection such as HashMap containing...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the default ObjectInputFilter. An attacker can trigger DNS-based information disclosure by sending a Java-serialized payload that deserializes into a collection such as HashMap containing...
Deserialization of Untrusted Data
Overview org.apache.camel:camel-netty is a Netty component for Apache Camel. Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the default ObjectInputFilter. An attacker can trigger DNS-based information disclosure by sending a Java-serialized payload th...
Deserialization of Untrusted Data
Overview org.apache.camel:camel-netty-http is a versatile open-source integration framework based on known Enterprise Integration Patterns. Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the default ObjectInputFilter. An attacker can trigger DNS-based...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the default ObjectInputFilter. An attacker can trigger DNS-based information disclosure by sending a Java-serialized payload that deserializes into a collection such as HashMap containing...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the default ObjectInputFilter. An attacker can trigger DNS-based information disclosure by sending a Java-serialized payload that deserializes into a collection such as HashMap containing...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the default ObjectInputFilter. An attacker can trigger DNS-based information disclosure by sending a Java-serialized payload that deserializes into a collection such as HashMap containing...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the default ObjectInputFilter. An attacker can trigger DNS-based information disclosure by sending a Java-serialized payload that deserializes into a collection such as HashMap containing...
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the ElasticSearchRestClientConstant header names and ElasticsearchRestClientEndpointBuilderFactory producer headers. An attacker can override the Elasticsearch query, operation, index...
Arbitrary Argument Injection
Overview Affected versions of this package are vulnerable to Arbitrary Argument Injection via the DoclingProducer custom CLI argument handling in camel-docling. An attacker can pass untrusted values through the CamelDoclingCustomArguments header to make the producer append unintended docling flag...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the managed Hazelcast instance creation paths in HazelcastDefaultComponentgetOrCreateHzInstance, HazelcastUtilnewInstance, HazelcastAggregationRepositorydoStart, and...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the ObjectInputFilter VertxHttpHelper.deserializeJavaObjectFromStream and NettyHttpHelper.deserializeJavaObjectFromStream. An attacker can achieve remote code execution on a Camel application host b...
Deserialization of Untrusted Data
Overview org.apache.camel:camel-netty-http is a versatile open-source integration framework based on known Enterprise Integration Patterns. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the ObjectInputFilter VertxHttpHelper.deserializeJavaObjectFromStre...
User Impersonation
Overview Affected versions of this package are vulnerable to User Impersonation in certain Thrift RPC query handlers, which do not strictly validate the sessionId parameter. An attacker can read time-series data without authenticating by sending query requests carrying a forged sessionId, which t...
User Impersonation
Overview org.apache.iotdb:iotdb-server is a data management system for time series data, which can provide users specific services, such as, data collection, storage and analysis. Affected versions of this package are vulnerable to User Impersonation in certain Thrift RPC query handlers, which do...
Directory Traversal
Overview org.apache.iotdb:iotdb-server is a data management system for time series data, which can provide users specific services, such as, data collection, storage and analysis. Affected versions of this package are vulnerable to Directory Traversal in the DataNode internal RPC interface for...
Improper Input Validation
Overview Affected versions of this package are vulnerable to Improper Input Validation through Sqs2HeaderFilterStrategy. An attacker can inject Camel control headers into an SQS message by sending message attributes such as CamelHttpUri, CamelFileName, or CamelSqlQuery to a consumed queue. Those...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal in the DataNode internal RPC interface for creating Trigger instances, which builds a file path from the uploaded Trigger JAR name without sufficient validation. An attacker can write arbitrary files with the...
Improper Input Validation
Overview Affected versions of this package are vulnerable to Improper Input Validation through CometdBinding.populateExchangeFromMessage in camel-cometd. An attacker can inject Camel control headers into a CometD message by supplying an ext.CamelHeaders map when publishing to a CometD endpoint. T...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the NatsConsumer process. An attacker can manipulate downstream producer behavior by injecting arbitrary control headers into messages published to the...
Insufficient Session Expiration
Overview Affected versions of this package are vulnerable to Insufficient Session Expiration via KeycloakSecurityHelper.parseAndVerifyAccessToken in the camel-keycloak component. An attacker can authenticate with an expired or not-yet-valid access token by sending a signed token to code paths tha...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the deserializeMetadata paths in AwsSecretsManagerKeyLifecycleManager, HashicorpVaultKeyLifecycleManager, and the legacy metadata migration path in FileBasedKeyLifecycleManager. An attacker can...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview org.apache.camel:camel-mail is a Camel Mail support. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes through MailProducer.getSender in the mail component. An attacker can weaken SMTP transport security or...
Improper Neutralization of Special Elements in Data Query Logic
Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic in the Neo4jProducer.retrieveNodes and deleteNode processes when JSON property names from the CamelNeo4jMatchProperties header are interpolated into the Cypher WHERE clause...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the operationName and operationNamespace headers, which are not properly filtered by the HTTP header filter. An attacker can cause the backend SOAP servi...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the operationName and operationNamespace headers, which are not properly filtered by the HTTP header filter. An attacker can cause the backend SOAP servi...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the operationName and operationNamespace headers, which are not properly filtered by the HTTP header filter. An attacker can cause the backend SOAP servi...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the operationName and operationNamespace headers, which are not properly filtered by the HTTP header filter. An attacker can cause the backend SOAP servi...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the operationName and operationNamespace headers, which are not properly filtered by the HTTP header filter. An attacker can cause the backend SOAP servi...
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the LuceneConstants.HEADERQUERY and LuceneConstants.HEADERRETURNLUCENEDOCS headers in the Lucene producer. An attacker can override the intended Lucene search by sending an HTTP...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the VertxWebsocketConsumer inbound header mapping in components/camel-vertx/camel-vertx-websocket. An attacker can redirect server-side HTTP requests and disclose sensitive values by sending WebSocke...
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via the improper handling of HTTP headers with the SolrParam. and SolrField. prefixes. An attacker can manipulate Solr query parameters or...
Information Exposure
Overview org.apache.camel:camel-netty-http is a versatile open-source integration framework based on known Enterprise Integration Patterns. Affected versions of this package are vulnerable to Information Exposure via the muteException handling in the NettyHttpConfiguration and NettyHttpComponent...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the DnsConstants header handling in components/camel-dns/src/main/java/org/apache/camel/component/dns/DnsConstants.java and the DNS producers that consume those headers. An attacker can redirect DNS...
Improper Input Validation
Overview Affected versions of this package are vulnerable to Improper Input Validation via the improper handling of Exchange message headers in the JIRA component. An attacker can perform unauthorized JIRA operations by supplying specially crafted HTTP headers, leveraging the endpoint's configure...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the kafka.OVERRIDETOPIC and other kafka. headers that bypass the upstream HTTP header filter. An attacker can redirect messages to arbitrary Kafka topics...