Impact
Apache Camel’s camel‑solr component copies HTTP exchange headers beginning with SolrParam. or SolrField. into Solr request parameters and document fields, bypassing the HTTP header filter because these prefixes do not start with Camel. This allows any external client to inject arbitrary Solr query options such as shards or stream.url that cause the Solr server to perform server‑side requests to attacker‑chosen URLs, reach administrative endpoints via qt, and also insert arbitrary fields into indexed documents. No authentication is required, enabling unauthenticated attackers to exploit the flaw.
Affected Systems
The affected product is Apache Camel from version 4.0.0 up to, but not including, 4.14.8; from 4.15.0 through 4.18.2; and from 4.19.0 through 4.20.999. Earlier releases are not affected. The product is supplied by the Apache Software Foundation.
Risk and Exploitability
The CVSS base score of 9.1 reflects a high severity. The EPSS score is reported as less than 1 %, indicating low observed exploitation activity, and the vulnerability is not listed in CISA KEV. Nevertheless, because the flaw permits arbitrary Solr request formation from any unauthenticated client, it poses a significant risk in environments where Solr is exposed to untrusted traffic. Attackers could trigger internal network reconnaissance, access sensitive cloud metadata, or execute privileged Solr queries.
OpenCVE Enrichment