org.apache.camel:camel-componentdsl 4.14.5

Direct Vulnerabilities

Known vulnerabilities in the org.apache.camel:camel-componentdsl package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Improperly Controlled Modification of Dynamically-Determined Object Attributes Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes throug the `CamelCoapResource.handleRequest()` function. An attacker can execute arbitrary operating system commands by injecting specially crafted CoAP URI query parameters that are mapped directly to internal message headers, which are then processed by header-sensitive producers such as `camel-exec`. This allows the attacker to override executable commands and arguments, resulting in remote code execution under the privileges of the application process. Note: This is only exploitable if a route consumes from a `coap://` endpoint and forwards requests to a header-sensitive producer, with no `HeaderFilterStrategy` applied, and if DTLS is not enabled. How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes? Upgrade `org.apache.camel:camel-componentdsl` to version 4.14.6, 4.18.1 or higher.	[4.14.0,4.14.6)[4.18.0,4.18.1)
C Deserialization of Untrusted Data Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `JmsBinding.extractBodyFromJms()` function in camel-jms and it's equivalents in camel-sjms that does not apply any ObjectInputFilter. An attacker can execute arbitrary code by sending a crafted JMS `ObjectMessage` to a queue or topic consumed by the application when the `mapJmsMessage` option is enabled (enabled by default). This is only exploitable if a deserialization gadget chain is present on the classpath. How to fix Deserialization of Untrusted Data? Upgrade `org.apache.camel:camel-componentdsl` to version 4.14.7, 4.18.2, 4.20.0 or higher.	[3.0.0-M1,4.14.7)[4.15.0,4.18.2)[4.19.0,4.20.0)

Vulnerability

Vulnerable Version

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes throug the CamelCoapResource.handleRequest() function. An attacker can execute arbitrary operating system commands by injecting specially crafted CoAP URI query parameters that are mapped directly to internal message headers, which are then processed by header-sensitive producers such as camel-exec. This allows the attacker to override executable commands and arguments, resulting in remote code execution under the privileges of the application process.

Note:

This is only exploitable if a route consumes from a coap:// endpoint and forwards requests to a header-sensitive producer, with no HeaderFilterStrategy applied, and if DTLS is not enabled.

How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes?

Upgrade org.apache.camel:camel-componentdsl to version 4.14.6, 4.18.1 or higher.

[4.14.0,4.14.6)[4.18.0,4.18.1)

Deserialization of Untrusted Data

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the JmsBinding.extractBodyFromJms() function in camel-jms and it's equivalents in camel-sjms that does not apply any ObjectInputFilter. An attacker can execute arbitrary code by sending a crafted JMS ObjectMessage to a queue or topic consumed by the application when the mapJmsMessage option is enabled (enabled by default). This is only exploitable if a deserialization gadget chain is present on the classpath.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.camel:camel-componentdsl to version 4.14.7, 4.18.2, 4.20.0 or higher.

[3.0.0-M1,4.14.7)[4.15.0,4.18.2)[4.19.0,4.20.0)

org.apache.camel:camel-componentdsl@4.14.5

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically