GHSA-cmc3-hr79-8mmv
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attacker needs sqs:SendMessage on the queue (PR:L) and a header-sensitive downstream producer must exist (AC:H); impact is chiefly integrity via header injection, with variable confidentiality and no direct availability loss.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6Description PRE-NVD
Articles & Coverage 5
AnalysisAI
Camel-internal control header injection in the Apache Camel AWS2-SQS component (camel-aws2-sqs) lets any principal holding sqs:SendMessage on a consumed SQS queue override downstream producer behaviour in a route. Because Sqs2HeaderFilterStrategy defined only an outbound filter and no inbound filter, DefaultHeaderFilterStrategy copied sender-supplied attributes such as CamelHttpUri, CamelFileName and CamelSqlQuery verbatim into the Exchange, so an attacker can redirect HTTP producers, rename files or override SQL queries. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires that the target route consumes from an SQS queue via the camel-aws2-sqs component on a vulnerable version (4.0.0-4.14.7, 4.15.0-4.18.2, or 4.19.0-4.20.x) AND that the route contains a downstream producer whose behaviour is steered by a Camel control header - for example an HTTP producer honoring CamelHttpUri, a file producer honoring CamelFileName, or a SQL producer honoring CamelSqlQuery. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), but that rating overstates real-world risk for this design flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with cross-account or lower-privileged in-account sqs:SendMessage rights posts a message to the consumed SQS queue with a MessageAttribute named CamelHttpUri set to an attacker-controlled URL. When Sqs2Consumer maps the attribute into the Exchange, a downstream HTTP producer in the route uses the injected value and sends the request (and any accompanying data) to the attacker's endpoint. … |
| Remediation | Vendor-released patch: upgrade to Apache Camel 4.21.0, which adds an inbound HeaderFilterStrategy rule to Sqs2HeaderFilterStrategy that filters the Camel header namespace case-insensitively so sender-supplied Camel*/camel* headers are no longer mapped into the Exchange. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit systems running camel-aws2-sqs (Apache Camel AWS2-SQS component) and identify all routes consuming SQS messages. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Bypass/Injection vulnerability in Apache Camel components under particular conditions.10.0 through <= 4.10.1, from 4.8.0
The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary file
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. Rated cri
The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remo
Cross-realm token acceptance bypass in Apache Camel Keycloak security policy. The KeycloakSecurityPolicy fails to proper
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSeria
The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInp
Apache Camel's File is vulnerable to directory traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely
The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-se
The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arb
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-s
Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arb
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41830