Impact
The vulnerability allows an unauthenticated attacker who can reach the camel‑undertow consumer to trigger a route processing error that causes the full Java stack trace to be returned as the HTTP response body. The exposed stack trace reveals credentials, host names, IP addresses, file paths, dependency and version information, database and class names, and other internal structural details, giving an attacker insight to plan further attacks. This weakness corresponds to CWE‑209: Information Exposure.
Affected Systems
Apache Camel's Undertow component in the Apache Camel framework is impacted. Versions 4.0.0 through 4.14.7, 4.15.0 through 4.18.2, and 4.19.0 through 4.20.9 are affected; the vulnerability is fixed in 4.21.0 and in the later-point releases 4.18.3 and 4.14.8 for the 4.18.x and 4.14.x lines respectively.
Risk and Exploitability
Exploitation requires only the ability to send a crafted request that triggers a route‑level error on an exposed endpoint; the attack vector is inferred because the description does not explicitly state it. Because muteException defaults to false, any errored request returns the complete stack trace and thus sensitive internal details. The CVSS score of 5.3 indicates moderate severity. The EPSS score is reported as < 1 %, indicating a low probability of exploitation on a global basis, though the vulnerability is still highly valuable for targeted attackers. The issue is not listed in CISA KEV and no public exploits have been disclosed; however, attackers can leverage the exposed information to map the internal system and plan subsequent attacks.
OpenCVE Enrichment