Apache Camel CXF and Knative Message Header Injection Vulnerability

A vulnerability exists in Apache Camel's CXF and Knative implementations, specifically within the HeaderFilterStrategy components. This issue arises because the inbound filtering of Camel-internal headers is not properly configured, allowing an unauthenticated attacker to inject these headers through HTTP requests to CXF-RS or CXF-SOAP endpoints. The injected headers can override existing values in header-driven components, potentially leading to remote code execution or unauthorized file writes. This vulnerability affects Apache Camel versions 3.18.0 prior to 4.14.6, 4.15.0 prior to 4.18.2, and 4.19.0 prior to 4.19.0.

Impact

Exploitation of this vulnerability allows for the injection of Camel-internal headers, which can be used to override configured values in header-driven components. This behavior could enable remote code execution or arbitrary file writes, depending on the context of the injected headers.

Remediation

Users are advised to upgrade to Apache Camel version 4.19.0, which addresses this vulnerability. For those on the 4.18.x LTS release stream, upgrading to 4.18.2 is recommended. Users on the 4.14.x LTS release stream should upgrade to 4.14.6.