Impact
The vulnerability is an Improper Input Validation and Improper Neutralization of Special Elements in Output Used by a Downstream Component flaw in the Camel-IRC producer. Plain, non-prefixed irc.* exchange header names bypass the HTTP header filter, allowing an HTTP client to set the irc.sendTo header and redirect messages to arbitrary IRC channels or users. This can expose message content to attacker‑chosen nicknames, leak information into public channels, or make messages appear to come from the bot. The flaw falls under CWE-20 and CWE-74 and can compromise confidentiality and integrity of communications.
Affected Systems
Apache Camel versions 4.0.x from 4.0.0 up to but not including 4.14.8, 4.15.x from 4.15.0 up to but not including 4.18.3, and 4.19.x from 4.19.0 up to but not including 4.21.0 are affected. The vulnerability resides in the camel-irc component used in routes that bridge an HTTP consumer to an IRC producer.
Risk and Exploitability
The CVSS score of 6.5 indicates a moderate impact. The EPSS score of less than 1% and the absence from the CISA KEV catalog suggest a low probability of widespread exploitation. However, an unauthenticated HTTP client can exploit the vulnerability in a route that accepts arbitrary headers, redirecting bot messages to attacker‑chosen destinations. Successful exploitation would lead to confidential information leakage, compromise integrity of messages, or allow attackers to impersonate the bot.
OpenCVE Enrichment