41 matches found
CVE-2024-22369
CVE-2024-22369 is a deserialization of untrusted data vulnerability in Apache Camel SQL Component, related to unsafe deserialization in the JDBCAggregationRepository. Affected versions include Camel 3.0.0–3.21.3, 3.22.0–3.22.0, 4.0.0–4.0.3, and 4.1.0–4.3.x (per the advisory). The issue could allo...
CVE-2024-23114
CVE-2024-23114 affects the Apache Camel CassandraQL component’s AggregationRepository, where an unsafe deserialization exposes a path to remote code execution under certain conditions. The associated connected advisories confirm the issue and list affected series: Camel 3.x (3.0.0–3.21.4, and 3.2...
CVE-2025-27636
CVE-2025-27636 affects Apache Camel versions 4.10.0–4.10.1, 4.8.0–4.8.4, and 3.10.0–3.22.3. The root cause is a case-sensitive DefaultHeaderFilterStrategy that only blocks headers starting with Camel, camel, or org.apache.camel., allowing attackers to inject Camel-specific headers. In vulnerable ...
CVE-2025-29891
CVE-2025-29891 describes a bypass/injection in Apache Camel where the default incoming header filter may be bypassed, allowing headers to influence internal components (e.g., camel-bean, camel-exec) via HTTP parameters or headers. Affected versions: Camel 4.10.0–4.10.1/4.10.0–4.10.1, 4.8.0–4.8.4/...
CVE-2019-0188
Apache Camel before 2.24.0 is affected by an XXE vulnerability (CWE-611) caused by an outdated vulnerable JSON-lib in the camel-xmljson component, which has been removed in later releases. The issue is documented with CVE-2019-0188 and has a base score around 5.8 (IBM X-Force reference). Remediat...
CVE-2024-22371
Summary (CVE-2024-22371) Apache Camel contains a vulnerability where crafting a malicious EventFactory and supplying a custom ExchangeCreatedEvent could expose sensitive data. This affects Camel releases across multiple branches: 3.21.x (up to 3.21.3), 3.22.x (up to 3.22.0), 4.0.x (up to 4.0.3), ...
CVE-2020-11971
CVE-2020-11971: Apache Camel JMX Rebind Flaw affects Camel versions 2.22.x–3.1.0. The JMX rebind vulnerability could allow a remote attacker to access sensitive information via crafted requests. A fix is available: upgrade to Camel 3.2.0 or newer. CVSS scores reported include v3.1 base 7.5 (HIGH)...
CVE-2020-11994
CVE-2020-11994 is a Server-Side Template Injection in the Apache Camel templating component used by Oracle Enterprise Manager Cloud Control Base Platform (13.4.0.0), specifically in the Reporting Framework. The vulnerability enables arbitrary file disclosure and high-impact data exposure due to C...
CVE-2016-8749
Apache Camel (camel-jackson and camel-jacksonxml) is affected by CVE-2016-8749 due to unsafe Java object deserialization during Jackson/JacksonXML unmarshalling, enabling remote code execution. The issue is documented across multiple feeds (GHSA and Red Hat advisories) and affects Camel component...
CVE-2013-4330
CVE-2013-4330 is an Apache Camel remote code execution vulnerability caused by improper handling of the CamelFileName header when using FILE or FTP producers. Affected Camel core versions include 2.9.7 and earlier, as well as 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0, per the CVE des...
CVE-2017-3159
CVE-2017-3159 affects Apache Camel's camel-snakeyaml component, enabling Java deserialization that can lead to remote code execution when untrusted data is deserialized. The NVD entry assigns a high/critical impact (CVSS v3 base 9.8, NETWORK/LOW complexity, no authentication) with potential execu...
CVE-2014-0002
CVE-2014-0002 affects Apache Camel XSLT component. The vulnerability arises when parsing XML with external entity references, allowing an attacker to read files and potentially perform XXE-based attacks. IBM security bulletins for IBM Application Performance Management (and related Red Hat adviso...
CVE-2014-0003
CVE-2014-0003 affects the Apache Camel XSLT component. It allows a remote attacker to execute arbitrary Java methods by sending a crafted message due to the XSLT component’s ability to call external Java methods. Affected are Camel 2.11.x prior to 2.11.4 and 2.12.x prior to 2.12.3 (and possibly e...
CVE-2020-11972
CVE-2020-11972 affects Apache Camel RabbitMQ: Java deserialization is enabled by default in the RabbitMQ component, enabling remote code execution. Affected Camel versions include 2.22.x, 2.23.x, 2.24.x, 2.25.0, and 3.0.0 up to 3.1.0. To mitigate, upgrade 2.x line to 2.25.1 or the 3.x line to 3.2...
CVE-2020-11973
CVE-2020-11973 affects Apache Camel with Netty, enabling Java deserialization due to unsafe/deserialized handling. Affected Camel versions: 2.22.x, 2.23.x, 2.24.x, 2.25.0, up to 3.1.0. Remediation is upgrade to Camel 2.25.1 (2.x line) or 3.2.0 (3.x line); no exploit details are provided in the do...
CVE-2020-5529
CVE-2020-5529 affects HtmlUnit prior to 2.37.0, where improper Rhino engine initialization enables a malicious JavaScript to execute arbitrary Java code within the application. The issue also extends to Android environments where Android-specific Rhino initialization is mishandled, allowing simil...
CVE-2017-5643
The CVE-2017-5643 issue affects Apache Camel’s Validation Component, which is vulnerable to SSRF via remote DTDs and XML External Entities (XXE) in XML streams. The vulnerability arises when the component processes DTDs/XXEs, allowing remote resources to be fetched. Impact details in connected do...
CVE-2019-0194
CVE-2019-0194 affects Apache Camel’s File component and enables directory traversal in Camel versions 2.21.0–2.21.3, 2.22.0–2.22.2, 2.23.0, and some older 2.x lines. Connected sources confirm this is a known vulnerability in multiple products (e.g., IBM Tivoli Netcool/OMNIbus components and Resil...
CVE-2015-5344
Apache Camel camel-xstream component suffers a remote code execution risk due to deserialization of untrusted data. The affected component is Camel XStream, with versions prior to 2.15.5 and 2.16.x prior to 2.16.1. The root cause is deserialization of crafted serialized Java objects, and exploita...
CVE-2015-5348
CVE-2015-5348 affects Apache Camel: deserialization of HTTP requests using content-header: application/x-java-serialized-object via camel-jetty or camel-servlet, allowing remote code execution. Affected: Camel 2.6.x–2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1. Root cause: insecure Java...
CVE-2015-0263
Apache Camel contains an XXE in the XML converter setup (converter/jaxp/XmlConverter.java) affecting versions before 2.13.4 and 2.14.x before 2.14.2, allowing remote attackers to read arbitrary files via an external entity in SAXSource. Remediation: upgrade to Camel 2.13.4+ or 2.14.2+. Exploitati...
CVE-2017-12633
The CVE-2017-12633 issue affects the Apache Camel camel-hessian component in Camel 2.x, due to a Java object deserialization vulnerability. Affected versions are Camel 2.x before 2.19.4 and 2.20.x before 2.20.1. Exploitation could enable remote code execution by deserializing untrusted data, with...
CVE-2018-8041
CVE-2018-8041 affects Apache Camel’s Mail component. Versions 2.20.0–2.20.3, 2.21.0–2.21.1, and 2.22.0 are vulnerable to a path traversal issue that can allow viewing arbitrary files via a crafted URL request. Root cause and exact exploit details are not provided in the supplied documents beyond ...
CVE-2015-0264
CVE-2015-0264: In Apache Camel, multiple XXE vulnerabilities exist in builder/xml/XPathBuilder.java that allow reading arbitrary files when processing invalid XML strings or GenericFile objects via an XML External Entity (XXE) declaration. Affected versions are Camel before 2.13.4 and 2.14.x befo...
CVE-2017-12634
The camel-castor component in Apache Camel 2.x is vulnerable to Java object deserialization (CVE-2017-12634). Affected versions are 2.x before 2.19.4 and 2.20.x before 2.20.1. Deserializing untrusted data can lead to security flaws, including potential Remote Code Execution. The CVSSv3 base score...
CVE-2018-8027
Apache Camel Core is vulnerable to XML External Entity (XXE) processing in the XSD validation processor. Affected versions are 2.20.0–2.20.3 and 2.21.0. Root cause: improper handling of XML external entities in the XSD validation path, enabling a remote attacker to read arbitrary files when a vic...
CVE-2025-30177
Apache Camel vulnerability CVE-2025-30177 affects Camel-Undertow in Camel versions 4.10.0–4.10.3 and 4.8.0–4.8.6, where the DefaultHeaderFilterStrategy is insufficiently filtering incoming headers. The issue allows Camel-specific headers to bypass the header filter (notably in the Camel-Undertow ...
CVE-2026-33454
The CVE describes an inbound header filtering gap in Camel-Mail (MailHeaderFilterStrategy): inbound headers are not filtered, allowing attacker-delivered email to inject Camel-specific headers that can influence downstream components (e.g., camel-bean, camel-exec, camel-sql). Affected: Apache Cam...
CVE-2023-34442
CVE-2023-34442 concerns Apache Camel (JIRA integration) with information disclosure due to improper authorization validation in the Camel-Jira FileConverter, enabling a local or authenticated actor to view temporary file contents. Affected versions include Camel 3.x up to <=3.14.8, 3.18.x up t...
CVE-2026-40453
Apache Camel non-HTTP HeaderFilterStrategies (camel-jms, camel-sjms, camel-coap, camel-google-pubsub) are affected by an incomplete fix for CVE-2025-27636. The fix added setLowerCase(true) to HttpHeaderFilterStrategy, but five non-HTTP implementations still use case-sensitive header filtering, wh...
CVE-2026-33453
The CVE-2026-33453 issue affects Apache Camel’s camel-coap component, enabling header injection via CoAP URI query parameters. The camel-coap handler copies incoming CoAP URI query params directly into Camel Exchange In headers without a HeaderFilterStrategy, allowing an unauthenticated attacker ...
CVE-2026-23552
Summary: CVE-2026-23552 describes an authentication bypass in Apache Camel’s Camel-Keycloak integration via the KeycloakSecurityPolicy. Affected software: Apache Camel versions 4.15.0 through 4.17.9 (per the CVE entry and related Nessus/Red Hat entries). Root cause (as stated): The KeycloakSecuri...
CVE-2026-25747
CVE-2026-25747 describes a Deserialization of Untrusted Data vulnerability in the Apache Camel LevelDB component. The issue stems from the DefaultLevelDBSerializer using java.io.ObjectInputStream to read from the LevelDB aggregation repository without ObjectInputFilter or class-loading restrictio...
CVE-2026-40858
CVE-2026-40858 – Apache Camel: Camel-Infinispan insecure deserialization The camel-infinispan component’s ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without ObjectInputFilter. An attacker who can write to t...
CVE-2026-47323
Summary: CVE-2026-47323 affects Apache Camel's CXF and Knative header filtering, where inbound header filtering is not configured. This allows unauthenticated injection of Camel-internal headers (e.g., CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints. W...
CVE-2026-40473
The CVE-2026-40473 issue affects the camel-mina MinaConverter.toObjectInput(IoBuffer) by wrapping an IoBuffer in a java.io.ObjectInputStream without ObjectInputFilter or class-loading restrictions. Affected: Apache Camel before certain fixed releases (3.0.0–4.14.6, 4.15.0–4.18.2, 4.19.0–4.20.0). ...
CVE-2026-40860
Apache Camel CVE-2026-40860 describes unsafe deserialization of JMS ObjectMessage payloads in camel-jms, camel-sjms, camel-sjms2 and camel-amqp. The root cause is deserialization via javax.jms.ObjectMessage.getObject() without ObjectInputFilter or allow/deny lists, triggered when mapJmsMessage is...
CVE-2026-27172
CVE-2026-27172 affects Apache Camel, Camel-Catalog: the ConsulRegistry reads Java-serialized values from the Consul KV store and deserializes them via ObjectInputStream.readObject() without an ObjectInputFilter. An attacker with write access to the backing KV store can inject a malicious serializ...
CVE-2026-40048
CVE-2026-40048 – Apache Camel PQC deserialization flaw : The Camel-PQC FileBasedKeyLifecycleManager deserializes the contents of .key files in the configured key directory via java.io.ObjectInputStream without ObjectInputFilter or class-loading restrictions. The vulnerable step is that the cast t...
CVE-2026-40022
CVE-2026-40022 affects Apache Camel Platform HTTP Main: when authentication is enabled and a non-root context path (e.g., /api or /admin) is configured, BasicAuthenticationConfigurer/JWTAuthenticationConfigurer derive the path from properties.getPath() if explicit authenticationPath is not set. C...
CVE-2025-66169
The CVE-2025-66169 entry concerns a Cypher Injection vulnerability in the Apache Camel camel-neo4j component. Affected versions are 4.10.0 before 4.10.8, 4.14.0 before 4.14.3, and 4.15.0 before 4.17.0. The underlying issue is improper handling of Cypher queries, leading to potential unauthorized ...