org.apache.camel:camel-netty-http@4.14.3

  • latest version

    4.21.0

  • latest non vulnerable version

  • first published

    12 years ago

  • latest version published

    16 days ago

  • licenses detected

  • package registry

  • Direct Vulnerabilities

    Known vulnerabilities in the org.apache.camel:camel-netty-http package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Information Exposure

    org.apache.camel:camel-netty-http is a versatile open-source integration framework based on known Enterprise Integration Patterns.

    Affected versions of this package are vulnerable to Information Exposure via the muteException handling in the NettyHttpConfiguration and NettyHttpComponent consumer path. An attacker can obtain a full Java stack trace by sending a request that triggers a route-processing exception on a netty-http endpoint. When muteException is left at its default setting, the consumer writes the exception details back to the client as text/plain instead of suppressing the body. That response can expose internal class names, file paths, hostnames, IP addresses, dependency versions, and other exception text to any client that can reach the endpoint.

    How to fix Information Exposure?

    Upgrade org.apache.camel:camel-netty-http to version 4.14.8, 4.18.3, 4.21.0 or higher.

    [,4.14.8)[4.15.0,4.18.3)[4.19.0,4.21.0)
    • C
    Deserialization of Untrusted Data

    org.apache.camel:camel-netty-http is a versatile open-source integration framework based on known Enterprise Integration Patterns.

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the ObjectInputFilter (VertxHttpHelper.deserializeJavaObjectFromStream and NettyHttpHelper.deserializeJavaObjectFromStream). An attacker can achieve remote code execution on a Camel application host by causing the producer to process a backend HTTP response with Content-Type: application/x-java-serialized-object when transferException=true or allowJavaSerializedObject=true and throwExceptionOnFailure remains enabled. The vulnerable code reads the response body through a raw ObjectInputStream without any class filtering, so a malicious or compromised backend, or a man-in-the-middle on plain HTTP, can supply a crafted serialized object. If a suitable gadget chain is present on the classpath, the application deserializes attacker-controlled data and executes attacker-chosen code.

    How to fix Deserialization of Untrusted Data?

    Upgrade org.apache.camel:camel-netty-http to version 4.14.8, 4.18.3, 4.20.0 or higher.

    [,4.14.8)[4.15.0,4.18.3)[4.19.0,4.20.0)
    • H
    Deserialization of Untrusted Data

    org.apache.camel:camel-netty-http is a versatile open-source integration framework based on known Enterprise Integration Patterns.

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the default ObjectInputFilter. An attacker can trigger DNS-based information disclosure by sending a Java-serialized payload that deserializes into a collection such as HashMap containing java.net.URL or java.net.InetAddress objects. When Camel accepts the object message and applies the permissive default filter, the deserialization side effects issue outbound network lookups to an attacker-controlled host, leaking information through the DNS query and allowing untrusted serialized data to influence the JVM’s network behavior.

    Workarounds

    • Configure a JMS-provider-side deserialization allow-list before accepting untrusted ObjectMessage payloads: use Apache ActiveMQ Artemis deserializationAllowList / deserializationDenyList, or Apache ActiveMQ Classic org.apache.activemq.SERIALIZABLE_PACKAGES, to block malicious Java-serialized objects from reaching Camel and triggering DNS lookup side effects during deserialization.
    • If you cannot change the broker, override Camel’s default deserialization rules with an endpoint-level deserializationFilter or the JVM-wide -Djdk.serialFilter property, and include an explicit !java.net.** deny rule ahead of the broader java.** allow pattern to prevent java.net.URL / java.net.InetAddress from being deserialized.

    How to fix Deserialization of Untrusted Data?

    Upgrade org.apache.camel:camel-netty-http to version 4.14.8, 4.18.3, 4.21.0 or higher.

    [4.14.0,4.14.8)[4.15.0,4.18.3)[4.19.0,4.21.0)
    • M
    Information Exposure

    org.apache.camel:camel-netty-http is a versatile open-source integration framework based on known Enterprise Integration Patterns.

    Affected versions of this package are vulnerable to Information Exposure in the muteException option handling of the HTTP consumer. An attacker can obtain sensitive internal information, such as Java stack traces containing credentials, hostnames, IP addresses, filesystem paths, and application structure, by sending malformed requests or triggering route-internal failures. This is only exploitable if the muteException option is set to false (the default), or for Rest DSL consumers where the option is ignored regardless of configuration.

    How to fix Information Exposure?

    Upgrade org.apache.camel:camel-netty-http to version 4.14.8, 4.18.3, 4.21.0 or higher.

    [4.0.0,4.14.8)[4.15.0,4.18.3)[4.19.0,4.21.0)