{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22371", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-01-09T12:04:27.624Z", "datePublished": "2024-02-26T09:22:38.384Z", "dateUpdated": "2024-10-31T13:03:53.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Camel", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "1.6.0", "status": "unaffected", "version": "1.x", "versionType": "semver"}, {"lessThanOrEqual": "3.21.3", "status": "affected", "version": "3.21.x", "versionType": "semver"}, {"lessThanOrEqual": "3.22.0", "status": "affected", "version": "3.22.x", "versionType": "semver"}, {"lessThanOrEqual": "4.0.3", "status": "affected", "version": "4.0.x", "versionType": "semver"}, {"lessThanOrEqual": "4.3.0", "status": "affected", "version": "4.x", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Otavio Rodolfo Piske from the Apache Software Foundation"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.<p>This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0.</p><p>Users are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4 or 4.4.0, which fixes the issue.</p>"}], "value": "Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0.\n\nUsers are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4 or 4.4.0, which fixes the issue.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "Low"}]}], "problemTypes": [{"descriptions": [{"description": "Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data.", "lang": "en"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-02-26T09:22:38.384Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://camel.apache.org/security/CVE-2024-22371.html"}], "source": {"defect": ["CAMEL-20305"], "discovery": "INTERNAL"}, "title": "Apache Camel issue on ExchangeCreatedEvent", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:43:34.525Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://camel.apache.org/security/CVE-2024-22371.html"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-922", "lang": "en", "description": "CWE-922 Insecure Storage of Sensitive Information"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-05T14:48:22.345763Z", "id": "CVE-2024-22371", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-31T13:03:53.000Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://camel.apache.org/security/CVE-2024-22371.html", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:43:34.525Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22371", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-05T14:48:22.345763Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-922", "description": "CWE-922 Insecure Storage of Sensitive Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-05T15:10:21.153Z"}}], "cna": {"title": "Apache Camel issue on ExchangeCreatedEvent", "source": {"defect": ["CAMEL-20305"], "discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Otavio Rodolfo Piske from the Apache Software Foundation"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.9, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "Low"}]}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Camel", "versions": [{"status": "unaffected", "version": "1.x", "versionType": "semver", "lessThanOrEqual": "1.6.0"}, {"status": "affected", "version": "3.21.x", "versionType": "semver", "lessThanOrEqual": "3.21.3"}, {"status": "affected", "version": "3.22.x", "versionType": "semver", "lessThanOrEqual": "3.22.0"}, {"status": "affected", "version": "4.0.x", "versionType": "semver", "lessThanOrEqual": "4.0.3"}, {"status": "affected", "version": "4.x", "versionType": "semver", "lessThanOrEqual": "4.3.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://camel.apache.org/security/CVE-2024-22371.html", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0.\n\nUsers are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4 or 4.4.0, which fixes the issue.\n\n", "supportingMedia": [{"type": "text/html", "value": "Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.<p>This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0.</p><p>Users are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4 or 4.4.0, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data."}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-02-26T09:22:38.384Z"}}}, "cveMetadata": {"cveId": "CVE-2024-22371", "state": "PUBLISHED", "dateUpdated": "2024-10-31T13:03:53.000Z", "dateReserved": "2024-01-09T12:04:27.624Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-02-26T09:22:38.384Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*", "matchCriteriaId": "538BED08-EC3A-4994-AD1C-2E55AF256D72", "versionEndExcluding": "3.21.4", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:camel:*:-:*:*:*:*:*:*", "matchCriteriaId": "0D74033D-CA38-4898-AAF5-9A326272C684", "versionEndExcluding": "4.0.4", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*", "matchCriteriaId": "27A2B9B3-E722-442D-81B4-F2DE97C328FB", "versionEndExcluding": "4.4.0", "versionStartIncluding": "4.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:camel:3.22.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA31037D-507A-42D5-97BE-E57A85C9FF4F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0.\n\nUsers are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4 or 4.4.0, which fixes the issue.\n\n"}, {"lang": "es", "value": "Exposici\u00f3n de datos confidenciales mediante la creaci\u00f3n de un EventFactory malicioso y proporcionando un ExchangeCreatedEvent personalizado que expone datos confidenciales. Vulnerabilidad en Apache Camel. Este problema afecta a Apache Camel: desde 3.21.X hasta 3.21.3, desde 3.22.X hasta 3.22.0, desde 4.0.X hasta 4.0.3, desde 4.X hasta 4.3.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 3.21.4, 3.22.1, 4.0.4 o 4.4.0, que soluciona el problema."}], "id": "CVE-2024-22371", "lastModified": "2025-04-25T18:56:25.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 1.4, "source": "security@apache.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-26T16:27:56.557", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://camel.apache.org/security/CVE-2024-22371.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://camel.apache.org/security/CVE-2024-22371.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-922"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-data-index-ephemeral-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-data-index-postgresql-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-jobs-service-ephemeral-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-jobs-service-postgresql-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-operator-bundle:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-rhel8-operator:1.33.0-3", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-swf-builder-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-swf-devmode-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}], "bugzilla": {"description": "camel-core: Exposure of sensitive data by crafting a malicious EventFactory", "id": "2266024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2266024"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.9", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-201", "details": ["Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0.\nUsers are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4 or 4.4.0, which fixes the issue.", "A flaw was found in Apache Camel. This issue may allow an attacker to expose sensitive data by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-22371", "package_state": [{"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "camel-core", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Affected", "package_name": "camel-core", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Out of support scope", "package_name": "camel-core", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "camel-core", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Will not fix", "package_name": "camel-core", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Not affected", "package_name": "camel-core", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "camel-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Fix deferred", "package_name": "camel-core", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Will not fix", "package_name": "camel-core", "product_name": "Red Hat Integration Camel Quarkus 2"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Will not fix", "package_name": "camel-core", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "camel-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "camel-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "camel-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Out of support scope", "package_name": "camel-core", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Will not fix", "package_name": "camel-core", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "camel-core", "product_name": "Red Hat support for Spring Boot"}], "public_date": "2024-02-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-22371\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-22371\nhttps://camel.apache.org/security/CVE-2024-22371.html\nhttps://issues.apache.org/jira/browse/CAMEL-20305"], "threat_severity": "Low"}