Impact
Apache Camel’s Docling component builds an argument list for the external `docling` command using a custom header, `CamelDoclingCustomArguments`. The original implementation relied on a denylist of forbidden flags and only checked for a literal `../` sequence in path values. As a result, a Camel route that accepts untrusted data could inject unsupported `docling` flags or craft path‑like arguments that traverse outside the intended directory. The injected arguments may alter the behavior of the external process and potentially expose or modify files that are not part of the intended workspace, compromising the integrity and confidentiality of the system that runs Camel.
Affected Systems
The flaw exists in Apache Camel versions from 4.15.0 up to, but not including, 4.18.3. Users on the 4.18.x long‑term support line are affected until they apply the 4.18.3 update. Versions 4.19.0 and later already contain the CAMEL-23212 fix.
Risk and Exploitability
The EPSS score is reported as < 1%, indicating a very low probability that this vulnerability will be actively exploited. The vulnerability is not listed in the CISA KEV catalog. The CVSS score of 9.1 indicates high severity, reflecting potential complete compromise of confidentiality, integrity, and availability if exploited. The exposed ability to inject unsupported `docling` flags and perform directory traversal could allow an attacker to manipulate or read files outside the intended workspace, thereby compromising the system that runs Camel. The attack requires injection of data into the `CamelDoclingCustomArguments` header or related path headers; therefore, proper authentication, authorization, and input validation diminish the likelihood.
OpenCVE Enrichment