SCA: security update for org.apache.camel:camel-support (GHSA-96v5-c2h5-56hm)

medium Tenable Cloud Security Plugin ID 421116

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.10.0 before
4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4. Users are recommended to upgrade to version
4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is present in
Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for
some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec
component. If you have Camel applications that are directly connected to the internet via HTTP, then an
attacker could include parameters in the HTTP requests that are sent to the Camel application that get
translated into headers. The headers could be both provided as request parameters for an HTTP methods
invocation or as part of the payload of the HTTP methods invocation. All the known Camel HTTP component
such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be
vulnerable out of the box. This CVE is related to the CVE-2025-27636: while they have the same root cause
and are fixed with the same fix, CVE-2025-27636 was assumed to only be exploitable if an attacker could
add malicious HTTP headers, while we have now determined that it is also exploitable via HTTP parameters.
Like in CVE-2025-27636, exploitation is only possible if the Camel route uses particular vulnerable
components. (CVE-2025-29891)

See Also

https://github.com/advisories/GHSA-96v5-c2h5-56hm

Plugin Details

Severity: Medium

ID: 421116

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 3/13/2025

Updated: 6/1/2026

Risk Information

VPR

Risk Factor: Low

Score: 3.3

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.1

Temporal Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2025-29891

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/12/2025

Vulnerability Publication Date: 3/12/2025

Reference Information

CVE: CVE-2025-29891

cwe: CWE-164