目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%

CVE-2026-46456— Apache Camel 输入验证错误漏洞

AI 预测 8.1 利用难度: 较易 EPSS 0.47% · P38

影响版本矩阵 3

厂商产品版本范围状态
Apache Software FoundationApache Camel4.0.0< 4.14.8affected
4.15.0< 4.18.3affected
4.19.0< 4.21.0affected
获取后续新漏洞提醒登录后订阅

一、 漏洞 CVE-2026-46456 基础信息

漏洞信息

对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
Apache Camel: Camel-AWS2-SQS: Inbound message attributes are mapped into the Exchange without an inbound HeaderFilterStrategy, allowing a message sender to inject Camel control headers
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
Improper Input Validation vulnerability in Apache Camel AWS2-SQS Component. The camel-aws2-sqs component map inbound message attributes into the Camel Exchange through a component-specific HeaderFilterStrategy. Sqs2HeaderFilterStrategy configured only an outbound filter (setOutFilterPattern, which blocks Camel*, breadcrumbId and org.apache.camel.* headers being written to the broker) but did not configure an inbound filter. As a result, when Sqs2Consumer copies each SQS MessageAttribute into the Exchange via HeaderFilterStrategy.applyFilterToExternalHeaders, DefaultHeaderFilterStrategy applied no inbound rule and treated every header name as not filtered - including Camel-internal control headers such as CamelHttpUri, CamelFileName or CamelSqlQuery - copying them unmodified onto the Camel message. Any principal able to send messages to the consumed SQS queue (for example a cross-account sender or a lower-privileged in-account component holding sqs:SendMessage) could therefore set arbitrary Camel control headers that influence the behaviour of downstream producers in the route (for example redirecting an HTTP producer, changing a file name, or overriding a query); the injected headers also persist across internal direct, seda and vm hops. The concrete downstream impact depends on which producers the route uses. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix adds an inbound HeaderFilterStrategy rule to Sqs2HeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so sender-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from inbound messages before they reach any downstream producer (for example removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), and restrict who may send to the consumed SQS queue by applying least-privilege sqs:SendMessage permissions on the queue resource policy.
来源: 美国国家漏洞数据库 NVD
CVSS Information
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
输入验证不恰当
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
Apache Camel 输入验证错误漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
Apache camel是美国Apache基金会开源的一个企业集成模式框架。 Apache Camel存在输入验证错误漏洞,该漏洞源于AWS2-SQS组件的输入验证不当,Sqs2HeaderFilterStrategy未配置入站过滤规则,导致攻击者可通过向消费的SQS队列发送消息设置任意Camel控制头,影响下游生产者行为,可能导致HTTP重定向、文件名称更改或查询覆盖等。以下版本受到影响:4.0.0版本至4.14.8之前版本、4.15.0版本至4.18.3之前版本和4.19.0版本至4.21.0之前版本
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD

受影响产品

厂商产品影响版本CPE订阅
Apache Software FoundationApache Camel 4.0.0 ~ 4.14.8 -

二、漏洞 CVE-2026-46456 的公开POC

#POC 描述源链接神龙链接
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC

三、漏洞 CVE-2026-46456 的情报信息

登录查看更多情报信息。

CVE-2026-46456 厂商安全公告 (1)

同批安全公告 · Apache Software Foundation · 2026-07-06 · 共 39 条

CVE-2026-46584Apache Camel 输入验证错误漏洞
CVE-2026-48206Apache Camel 输入验证错误漏洞
CVE-2026-48205Apache Camel DNS 输入验证错误漏洞
CVE-2026-48204Apache Camel 输入验证错误漏洞
CVE-2026-48203Apache Camel 输入验证错误漏洞
CVE-2026-46726Apache Camel Vertx Websocket 输入验证错误漏洞
CVE-2026-46592Apache Camel 输入验证错误漏洞
CVE-2026-46591Apache Camel 输入验证错误漏洞
CVE-2026-46590Apache Camel 反序列化注入漏洞
CVE-2026-46585Apache Camel 输入验证错误漏洞
CVE-2026-49086Apache Camel Dapr 输入验证错误漏洞
CVE-2026-46457Apache Camel 输入验证错误漏洞
CVE-2026-46455Apache Camel 会话机制问题漏洞
CVE-2026-46454Apache Camel 输入验证错误漏洞
CVE-2026-46453Apache Camel 输入验证错误漏洞
CVE-2026-43865Apache Camel 反序列化注入漏洞
CVE-2026-42527Apache Camel 反序列化注入漏洞
CVE-2026-40859Apache Camel 反序列化注入漏洞
CVE-2026-40047Apache Camel 命令注入漏洞
CVE-2026-56140Apache Camel 输入验证错误漏洞

显示前 20 条,共 39 条。 查看全部 &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2026-46456

暂无评论


发表评论