Apache Camel security advisory: CVE-2024-22371

Severity

LOW

Summary

Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data

Versions affected

From 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0

Versions fixed

3.21.4, 3.22.1, 4.0.4 and 4.4.0

Description

The EventFactory class is vulnerable to temporary file information disclosure. Under specific conditions, it is possible to expose sensitive data

Notes

The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-20305 refers to the various commits that resolved the issue, and have more details.

Mitigation

Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1

Credit

This issue was discovered by Otavio Rodolfo Piske from Apache Software Foundation

References

PGP signed advisory data: CVE-2024-22371.txt.asc
Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22371