Apache Camel issue on ExchangeCreatedEvent
Description
Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0.
Users are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4 or 4.4.0, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Camel EventFactory vulnerability allows malicious crafted ExchangeCreatedEvent to leak sensitive data, affecting multiple versions; upgrade to fixed versions.
Vulnerability
Overview
The Apache Camel EventFactory class is vulnerable to temporary file information disclosure. By crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent, an attacker can expose sensitive data. [1][4] This issue affects Camel versions starting from 3.21.x through 3.21.3, 3.22.x through 3.22.0, 4.0.x through 4.0.3, and 4.x through 4.3.0. [1]
Exploitation
Prerequisites
Exploitation requires the ability to influence the EventFactory or the ExchangeCreatedEvent within a Camel integration. This could be achieved through untrusted inputs or by compromising a component that creates exchanges. No authentication is explicitly required beyond access to the Camel runtime. [4]
Impact
Successful exploitation results in the exposure of sensitive data that may be stored in temporary files or other transient storage, compromising confidentiality. [4]
Mitigation
Users are recommended to upgrade to the fixed versions: 3.21.4, 3.22.1, 4.0.4, or 4.4.0, depending on their release stream. [1][4] The issue is tracked in JIRA as CAMEL-20305. [2]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.camel:camel-coreMaven | >= 3.0.0, < 3.21.4 | 3.21.4 |
org.apache.camel:camel-coreMaven | >= 3.22.0, < 3.22.1 | 3.22.1 |
org.apache.camel:camel-coreMaven | >= 4.0.0, < 4.0.4 | 4.0.4 |
org.apache.camel:camel-coreMaven | >= 4.1.0, < 4.4.0 | 4.4.0 |
Affected products
2- Apache Software Foundation/Apache Camelv5Range: 3.21.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- camel.apache.org/security/CVE-2024-22371.htmlghsavendor-advisoryWEB
- github.com/advisories/GHSA-qpxm-689r-3849ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-22371ghsaADVISORY
- issues.apache.org/jira/browse/CAMEL-20305ghsaWEB
News mentions
0No linked articles in our index yet.