目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%

CVE-2026-48204— Apache Camel 输入验证错误漏洞

AI 预测 9.8 利用难度: 较易 EPSS 0.45% · P36

影响版本矩阵 3

厂商产品版本范围状态
Apache Software FoundationApache Camel4.0.0< 4.14.8affected
4.15.0< 4.18.3affected
4.19.0< 4.21.0affected
获取后续新漏洞提醒登录后订阅

一、 漏洞 CVE-2026-48204 基础信息

漏洞信息

对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
Apache Camel: Camel-MongoDB-GridFS: The gridfs.* control headers used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to switch the GridFS operation - including destructive file deletion - in the default configuration
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
Improper Input Validation, Improper Access Control vulnerability in Apache Camel in Camel Mongodb Gridfs component. The camel-mongodb-gridfs producer selects the GridFS operation to perform from the gridfs.operation Exchange header when the endpoint's operation parameter is not set - which is the default. The control-header constants (GridFsConstants.GRIDFS_OPERATION, GRIDFS_OBJECT_ID, GRIDFS_METADATA, GRIDFS_CHUNKSIZE, GRIDFS_FILE_ID_PRODUCED) were the plain strings gridfs.operation, gridfs.objectid, gridfs.metadata, gridfs.chunksize and gridfs.fileid. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a mongodb-gridfs: producer with no explicit operation, any HTTP client could therefore set the gridfs.operation header to override the route's intended operation - switching, for example, a file upload to remove (deleting a file identified by the attacker-supplied gridfs.objectid), listAll (enumerating every file in the bucket) or findOne (reading a file) - and supply a gridfs.metadata value that is parsed as a MongoDB document, enabling NoSQL operator injection. No credentials are required when the bridging consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive GridFS operations or metadata via the raw header names must use CamelGridFsOperation / CamelGridFsObjectId / CamelGridFsMetadata / CamelGridFsChunkSize / CamelGridFsFileId instead of the gridfs.* names. For deployments that cannot upgrade immediately, set an explicit operation on the mongodb-gridfs: endpoint so the operation is not taken from a header, and strip the gridfs.* headers from any untrusted ingress before the producer.
来源: 美国国家漏洞数据库 NVD
CVSS Information
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
输入验证不恰当
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
Apache Camel 输入验证错误漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
Apache camel是美国Apache基金会开源的一个企业集成模式框架。 Apache Camel存在安全漏洞,该漏洞源于Camel Mongodb Gridfs组件存在输入验证和访问控制不当问题,导致HTTP客户端可通过设置gridfs.operation标头覆盖操作,并利用gridfs.metadata值实现NoSQL操作注入,从而导致文件删除、枚举或读取等操作。以下版本受到影响:4.0.0版本至4.14.8之前版本、4.15.0版本至4.18.3之前版本和4.19.0版本至4.21.0之前版本。
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD

受影响产品

厂商产品影响版本CPE订阅
Apache Software FoundationApache Camel 4.0.0 ~ 4.14.8 -

二、漏洞 CVE-2026-48204 的公开POC

#POC 描述源链接神龙链接
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC

三、漏洞 CVE-2026-48204 的情报信息

登录查看更多情报信息。

CVE-2026-48204 厂商安全公告 (1)

同批安全公告 · Apache Software Foundation · 2026-07-06 · 共 39 条

CVE-2026-46457Apache Camel 输入验证错误漏洞
CVE-2026-48206Apache Camel 输入验证错误漏洞
CVE-2026-48205Apache Camel DNS 输入验证错误漏洞
CVE-2026-48203Apache Camel 输入验证错误漏洞
CVE-2026-46726Apache Camel Vertx Websocket 输入验证错误漏洞
CVE-2026-46592Apache Camel 输入验证错误漏洞
CVE-2026-46591Apache Camel 输入验证错误漏洞
CVE-2026-46590Apache Camel 反序列化注入漏洞
CVE-2026-46585Apache Camel 输入验证错误漏洞
CVE-2026-46584Apache Camel 输入验证错误漏洞
CVE-2026-49086Apache Camel Dapr 输入验证错误漏洞
CVE-2026-46456Apache Camel 输入验证错误漏洞
CVE-2026-46455Apache Camel 会话机制问题漏洞
CVE-2026-46454Apache Camel 输入验证错误漏洞
CVE-2026-46453Apache Camel 输入验证错误漏洞
CVE-2026-43865Apache Camel 反序列化注入漏洞
CVE-2026-42527Apache Camel 反序列化注入漏洞
CVE-2026-40859Apache Camel 反序列化注入漏洞
CVE-2026-40047Apache Camel 命令注入漏洞
CVE-2026-56140Apache Camel 输入验证错误漏洞

显示前 20 条,共 39 条。 查看全部 &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2026-48204

暂无评论


发表评论