===================================================================== CERT-Renater Note d'Information No. 2022/VULN443 _____________________________________________________________________ DATE : 05/12/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Camel versions prior to 3.14.6, 3.18.4. ===================================================================== https://lists.apache.org/thread/xlg7s0k7j6knsqq84tln4gnzc3l3d4jv https://camel.apache.org/security/CVE-2022-45046.html _____________________________________________________________________ CVE-2022-45046: Apache Camel: LDAP Injection in Camel-LDAP Description: LDAP Injection on camel-ldap component when using the filter option. This issue is being tracked as CAMEL-18696 Credit: Apache Camel would like to thank 4ra1n from Chaitin Tech References: https://camel.apache.org/security/CVE-2022-45046.html _____________________________________________________________________ APACHE CAMEL SECURITY ADVISORY: CVE-2022-45046 SEVERITY MEDIUM SUMMARY LDAP Injection in camel-ldap VERSIONS AFFECTED 3.0.0 up to 3.14.5, and 3.15.0 up to 3.18.3, and 3.19.0. VERSIONS FIXED 3.14.6, 3.18.4 DESCRIPTION LDAP Injection on camel-ldap component when using the filter option. NOTES The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-186906 refers to the various commits that resovoled the issue, and have more details. The camel-spring-ldap component is not affected. Users could use move to the Camel-Spring-Ldap component. MITIGATION Users should upgrade to 3.14.6 or 3.18.4 CREDIT This issue was discovered by 4ra1n from Chaitin Tech REFERENCES PGP signed advisory data: CVE-2022-45046.txt.asc Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45046 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================