Impact
The vulnerability resides in an improper input validation flaw in the HeaderFilterStrategy of the Apache Camel AWS2 SNS projection. The component originally lacked an inbound filtering rule, a gap that was exploitable in a sibling component allowing message senders to inject control headers. In the SNS component, however, the missing inbound rule cannot be triggered because the endpoint is producer‑only and does not accept inbound messages. Consequently, no attacker‑controlled data can reach the Camel Exchange, and the flaw cannot be leveraged for data injection or remote code execution.
Affected Systems
All releases of the Apache Camel AWS2 SNS component from 4.0.0 up to but not including 4.14.8, from 4.15.0 up to 4.18.2, and from 4.19.0 up to 4.20.9 are affected. The fixes that add the inbound filter are included in version 4.14.8 of the 4.14.x LTS stream, 4.18.3 of the 4.18.x stream, and 4.21.0 of the current release line.
Risk and Exploitability
The CVSS base score of 9.8 indicates a high theoretical severity, yet the EPSS score of less than 1% and absence from the CISA KEV catalog show a very low likelihood of exploitation. Because the component cannot consume messages, the missing inbound filter rule is unreachable by an attacker, rendering the practical risk negligible. The change is purely defensive hardening to align with sibling components.
OpenCVE Enrichment