Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP requests to header-sensitive producers (e.g. camel-exec) The camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any HeaderFilterStrategy. Specifically, CamelCoapResource.handleRequest() iterates over OptionSet.getUriQuery() and calls camelExchange.getIn().setHeader(...) for every query parameter. CoAPEndpoint extends DefaultEndpoint rather than DefaultHeaderFilterStrategyEndpoint, and CoAPComponent does not implement HeaderFilterStrategyComponent; the component contains no references to HeaderFilterStrategy at all. As a result, an unauthenticated attacker who can send a single CoAP UDP packet to a Camel route consuming from coap:// can inject arbitrary Camel internal headers (those prefixed with Camel*) into the Exchange. When the route delivers the message to a header-sensitive producer such as camel-exec, camel-sql, camel-bean, camel-file, or template components (camel-freemarker, camel-velocity), the injected headers can alter the producer's behavior. In the case of camel-exec, the CamelExecCommandExecutable and CamelExecCommandArgs headers override the executable and arguments configured on the endpoint, resulting in arbitrary OS command execution under the privileges of the Camel process. The producer's output is written back to the Exchange body and returned in the CoAP response payload by CamelCoapResource, giving the attacker an interactive RCE channel without any need for out-of-band exfiltration. Exploitation prerequisites are minimal: a single unauthenticated UDP datagram to the CoAP port (default 5683). CoAP (RFC 7252) has no built-in authentication, and DTLS is optional and disabled by default. Because the protocol is UDP-based, HTTP-layer WAF/IDS controls do not apply. This issue affects Apache Camel: from 4.14.0 through 4.14.5, from 4.18.0 before 4.18.1, 4.19.0. Users are recommended to upgrade to version 4.18.1 or 4.19.0, fixing the issue.
The CamelCoapResource.handleRequest() method iterates through CoAP query URI parameters and calls setHeader() for each one without applying a HeaderFilterStrategy mechanism — the CoAPEndpoint component inherits from DefaultEndpoint rather than DefaultHeaderFilterStrategyEndpoint and does not implement HeaderFilterStrategyComponent. An attacker can thereby inject arbitrary internal Camel headers (with the Camel* prefix) into the Exchange object. When the route directs the message to a header-sensitive producer such as camel-exec, the injected CamelExecCommandExecutable and CamelExecCommandArgs headers override the configured executable file and its arguments, leading to arbitrary system command execution. The result of the command is returned directly in the CoAP response, creating an interactive RCE channel without the need for out-of-band exfiltration.
An unauthenticated attacker gains remote code execution (RCE) with arbitrary system commands with the privileges of the Apache Camel process, which can lead to complete server compromise, data exfiltration, and further lateral movement in the network.
Apache Camel should be updated to version 4.18.1 or 4.19.0, in which the issue has been fixed. Additionally, until the patch is deployed, it is recommended to restrict network access to the CoAP port (default UDP 5683) to trusted sources only and enable DTLS for transport-level authentication.
Apache Camel in versions from 4.14.0 to 4.14.5 inclusive, from 4.18.0 before 4.18.1, and 4.19.0 — when the route uses the camel-coap component and directs messages to sensitive producers (e.g., camel-exec, camel-sql, camel-bean, camel-file, camel-freemarker, camel-velocity)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HApache Camel
APPApache4.18.04.19.04.14.0 – 4.14.5
Related vulnerabilities
Apache Camel: wstrzyknięcie nagłówków HTTP w camel-cxf i camel-knative (RCE)
Apache Camel: niebezpieczna deserializacja JMS ObjectMessage prowadząca do RCE
Apache Camel — obejście filtrowania nagłówków umożliwiające RCE
Apache Camel: wstrzyknięcie nagłówków przez komponent Camel-Mail
Apache Camel: pominięcie weryfikacji issuer JWT w KeycloakSecurityPolicy