Apache Camel security advisory: CVE-2023-34442

Severity

LOW

Summary

Temporary File Local Information Disclosure in camel-jira

Versions affected

3.0.0 up to 3.14.8, and 3.18.0 up to 3.18.7, 3.20.0 up to 3.20.5 and 4.0.0-M1 up to 4.0.0-M3

Versions fixed

3.14.9, 3.18.8, 3.20.6, 3.21.0 and 4.0.0-RC1

Description

The Camel-Jira FileConverter class is vulnerable to temporary file information disclosure. If sensitive information is written to this file, all other local users will be able to view the contents of that document.

Notes

The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-19421 refers to the various commits that resovoled the issue, and have more details.

Mitigation

Users should upgrade to 3.14.9, 3.18.8, 3.20.6 or 3.21.0 and for users on Camel 4.x update to 4.0.0-M1

Credit

This issue was discovered by Jonathan Leitschuh of the Open Source Security Foundation: Project Alpha-Omega

References

PGP signed advisory data: CVE-2023-34442.txt.asc
Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34442
Edit this Page Back to top