Apache Camel security advisory: CVE-2022-45046

Severity

MEDIUM

Summary

LDAP Injection in camel-ldap

Versions affected

3.0.0 up to 3.14.5, and 3.15.0 up to 3.18.3, and 3.19.0.

Versions fixed

3.14.6, 3.18.4

Description

LDAP Injection on camel-ldap component when using the filter option.

Notes

The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-186906 refers to the various commits that resovoled the issue, and have more details. The camel-spring-ldap component is not affected. Users could use move to the Camel-Spring-Ldap component.

The security vulnerability after further analysis is a false alarm (no security risk) and this CVE is retracted.

Mitigation

Users should upgrade to 3.14.6 or 3.18.4

Credit

This issue was discovered by 4ra1n from Chaitin Tech

References

PGP signed advisory data: CVE-2022-45046.txt.asc
Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45046