Apache Camel Mail Component Header Injection Vulnerability

A vulnerability exists in the Apache Camel Mail component, allowing for Camel message header injection due to improper filtering of inbound headers. The component's custom header filter strategy, MailHeaderFilterStrategy, only applies to outgoing headers and neglects incoming ones. This oversight enables an attacker to inject Camel-specific headers into the Exchange by sending emails to a monitored mailbox. Such injected headers can disrupt the behavior of downstream Camel components like camel-bean, camel-exec, or camel-sql. The vulnerability affects Apache Camel versions 3.0.0 prior to 4.14.6 and 4.15.0 prior to 4.18.1.

Impact

Exploitation of this vulnerability allows for unauthorized injection of headers that can alter the behavior of Camel routes, potentially leading to unintended consequences in the application's workflow.

Remediation

Users should upgrade to Apache Camel version 4.19.0. For those on the 4.18.x LTS release stream, upgrade to 4.18.1. If on the 4.14.x LTS release stream, upgrade to 4.14.6.