Improper Handling of Case Sensitivity Affecting org.apache.camel:camel-support package, versions [3.10.0,3.22.4)[4.8.0,4.8.5)[4.10.0,4.10.2)

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to a flaw in the default filtering mechanism that only blocks headers starting with specific prefixes. An attacker can manipulate header entries to invoke arbitrary methods from the Bean registry or use expressions as part of the method parameters, leading to unauthorized actions.

Notes:

This is only exploitable if the user is using one of the following HTTP Servers via one the of the following Camel components: camel-servlet, camel-jetty, camel-undertow, camel-platform-http, camel-netty-http and in the route, the exchange will be routed to a camel-bean producer. So only the camel-bean component is affected. In particular, this is only exploitable if:

1. Any of the above components are used together with camel-bean component;

2. The bean that can be called, has more than 1 method implemented;

3. Methods are declared in the same bean specified in the bean URI.

The interaction between the dependencies described above is the necessary precondition to be vulnerable, but camel-support is the dependency whose vulnerable code is the root cause of the issue. Upgrading it to the fixed version ensures that the vulnerability has been remediated. Application owners for whom upgrading is not an option or whose environment does not meet all of the criteria for exploitation should consider the suggested workaround or safely ignoring this issue if it is inapplicable.

This vulnerability can be mitigated by removing headers in Camel routes, either globally or per route, using the removeHeaders EIP to filter out headers not starting with the expected prefixes.

• Apache Issue
• Apache Thread
• Blog Post
• GitHub Commit
• PoC