Bug 2266024 (CVE-2024-22371)

Summary: CVE-2024-22371 camel-core: Exposure of sensitive data by crafting a malicious EventFactory
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aileenc, anstephe, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, cmiranda, cmoulliard, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, dsimansk, fjuma, fmariani, fmongiar, gmalinko, ibek, ivassile, iweiss, janstey, jnethert, jpoth, jrokos, kingland, kverlaen, lgao, lthon, matzew, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nwallace, parichar, pcongius, pdelbell, pdrozd, peholase, pgallagh, pierdipi, pjindal, pmackay, pskopek, rguimara, rhuss, rowaters, rruss, rstancel, smaestri, sthorger, tasato, tcunning, tom.jenkinson, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Camel. This issue may allow an attacker to expose sensitive data by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2270598    

Description Rohit Keshri 2024-02-26 11:04:40 UTC 
Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0.

Users are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4 or 4.4.0, which fixes the issue.


References:
https://camel.apache.org/security/CVE-2024-22371.html
https://camel.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-22371
https://issues.apache.org/jira/browse/CAMEL-20305
Comment 3 errata-xmlrpc 2024-06-24 01:38:41 UTC 
This issue has been addressed in the following products:

  RHOSS-1.33-RHEL-8

Via RHSA-2024:4057 https://access.redhat.com/errata/RHSA-2024:4057