Impact
Improper Input Validation in Apache Camel allows an attacker to provide non-Camel-prefixed exchange headers that bypass the HeaderFilterStrategy. This can cause the value of the operation header to be overridden by untrusted input. An attacker could thus instruct the Camel route to execute arbitrary CouchDB operations, leading to unauthorized data modification, deletion, or execution of dangerous commands, compromising data integrity and potentially confidentiality.
Affected Systems
The vulnerability affects Apache Camel versions up to 4.14.7, 4.15.0 through 4.18.2, and 4.19.0 through 4.20.0. Users using any of these releases should upgrade to version 4.14.8, 4.18.3 or 4.21.0 to receive the fix. The issue is specific to the CouchDB component of Camel.
Risk and Exploitability
No specific CVSS score or EPSS score is publicly available for this issue. The vulnerability is not listed in the CISA KEV catalog, suggesting it may not be widely exploited yet. However, the exploitation path requires the attacker to supply crafted headers in a Camel route that touches CouchDB, which may be limited to applications with exposed Camel endpoints. The risk remains significant for environments that expose such routes, especially if the application is publicly reachable. Timely patching is advised to mitigate potential unauthorized operation override.
OpenCVE Enrichment