Information Exposureorg.apache.camel:camel-netty-http is a versatile open-source integration framework based on known Enterprise Integration Patterns.
Affected versions of this package are vulnerable to Information Exposure via the muteException handling in the NettyHttpConfiguration and NettyHttpComponent consumer path. An attacker can obtain a full Java stack trace by sending a request that triggers a route-processing exception on a netty-http endpoint. When muteException is left at its default setting, the consumer writes the exception details back to the client as text/plain instead of suppressing the body. That response can expose internal class names, file paths, hostnames, IP addresses, dependency versions, and other exception text to any client that can reach the endpoint.
How to fix Information Exposure? Upgrade org.apache.camel:camel-netty-http to version 4.14.8, 4.18.3, 4.21.0 or higher.
| [,4.14.8)[4.15.0,4.18.3)[4.19.0,4.21.0) |
Deserialization of Untrusted Dataorg.apache.camel:camel-netty-http is a versatile open-source integration framework based on known Enterprise Integration Patterns.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the ObjectInputFilter (VertxHttpHelper.deserializeJavaObjectFromStream and NettyHttpHelper.deserializeJavaObjectFromStream). An attacker can achieve remote code execution on a Camel application host by causing the producer to process a backend HTTP response with Content-Type: application/x-java-serialized-object when transferException=true or allowJavaSerializedObject=true and throwExceptionOnFailure remains enabled. The vulnerable code reads the response body through a raw ObjectInputStream without any class filtering, so a malicious or compromised backend, or a man-in-the-middle on plain HTTP, can supply a crafted serialized object. If a suitable gadget chain is present on the classpath, the application deserializes attacker-controlled data and executes attacker-chosen code.
How to fix Deserialization of Untrusted Data? Upgrade org.apache.camel:camel-netty-http to version 4.14.8, 4.18.3, 4.20.0 or higher.
| [,4.14.8)[4.15.0,4.18.3)[4.19.0,4.20.0) |
Information Exposureorg.apache.camel:camel-netty-http is a versatile open-source integration framework based on known Enterprise Integration Patterns.
Affected versions of this package are vulnerable to Information Exposure in the muteException option handling of the HTTP consumer. An attacker can obtain sensitive internal information, such as Java stack traces containing credentials, hostnames, IP addresses, filesystem paths, and application structure, by sending malformed requests or triggering route-internal failures. This is only exploitable if the muteException option is set to false (the default), or for Rest DSL consumers where the option is ignored regardless of configuration.
How to fix Information Exposure? Upgrade org.apache.camel:camel-netty-http to version 4.14.8, 4.18.3, 4.21.0 or higher.
| [4.0.0,4.14.8)[4.15.0,4.18.3)[4.19.0,4.21.0) |