Apache Camel security advisory: CVE-2023-34442
SummaryTemporary File Local Information Disclosure in camel-jira
Versions affected3.0.0 up to 3.14.8, and 3.18.0 up to 3.18.7, 3.20.0 up to 3.20.5 and 4.0.0-M1 up to 4.0.0-M3
Versions fixed3.14.9, 3.18.8, 3.20.6, 3.21.0 and 4.0.0-RC1
DescriptionThe Camel-Jira FileConverter class is vulnerable to temporary file information disclosure. If sensitive information is written to this file, all other local users will be able to view the contents of that document.
The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-19421 refers to the various commits that resovoled the issue, and have more details.
MitigationUsers should upgrade to 3.14.9, 3.18.8, 3.20.6 or 3.21.0 and for users on Camel 4.x update to 4.0.0-M1
CreditThis issue was discovered by Jonathan Leitschuh of the Open Source Security Foundation: Project Alpha-Omega
- PGP signed advisory data: CVE-2023-34442.txt.asc
- Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34442