RHSA-2026:37390HighCVSS 8.8

Red Hat Security Advisory: Red Hat Build of Apache Camel 4.18.1.P1 for Spring Boot release.

Published
July 9, 2026
Last Modified
July 10, 2026

🔗 CVE IDs covered (32)

📋 Description

CVE-2026-24400 — assertj: AssertJ: Information disclosure and denial of service via XML External Entity (XXE) CVE-2026-34478 — org.apache.logging.log4j/log4j-core: Apache Log4j Core: Log injection via CRLF sequences due to configuration attribute renames CVE-2026-34480 — org.apache.logging.log4j/log4j-core: Apache Log4j Core: Invalid XML output causes denial of service in logging CVE-2026-34481 — org.apache.logging.log4j: Apache Log4j JsonTemplateLayout: Denial of Service via invalid JSON output CVE-2026-40984 — micrometer-core: micrometer-jetty11: micrometer-jetty12: Micrometer: Denial of Service via specially crafted HTTP requests CVE-2026-42578 — netty: io.netty/netty-handler-proxy: Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation CVE-2026-42579 — netty: Netty: High integrity impact due to improper DNS domain name constraint enforcement CVE-2026-42581 — netty: io.netty/netty-codec-http: Netty: HTTP Request Smuggling due to improper handling of conflicting HTTP/1.0 headers CVE-2026-42584 — netty: io.netty/netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion CVE-2026-42586 — netty-codec-redis: Netty: Command injection via CRLF characters in Redis codec encoder CVE-2026-42587 — netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression CVE-2026-44248 — netty: io.netty/netty-codec-mqtt: Netty: Denial of Service due to excessive resource consumption from crafted MQTT 5 header CVE-2026-44249 — netty-handler: netty-handler: IPv6 subnet rule bypass due to incorrect masking operation CVE-2026-44250 — netty-codec-redis: netty-codec-redis: Denial of Service via crafted Redis payload with deeply nested arrays CVE-2026-44417 — org.apache.cxf/cxf-rt-transports-jms: Apache CXF: Remote Code Execution via untrusted JMS configuration CVE-2026-44890 — netty-codec-redis: netty-codec-redis: Denial of Service via crafted Redis payloads CVE-2026-44893 — netty-codec-haproxy: Netty-codec-haproxy: Denial of Service via malformed HAProxy message CVE-2026-44930 — apache-cxf: org.apache.cxf.services.xkms/cxf-services-xkms-x509-repo-ldap: Apache CXF: Information Disclosure via LDAP Injection CVE-2026-45416 — netty-handler: Netty: Denial of Service due to eager buffer allocation in TLS handshake CVE-2026-45674 — netty-resolver-dns: Netty: Information disclosure and data manipulation due to improper CNAME record validation CVE-2026-46340 — netty-transport-sctp: Netty-transport-sctp: Denial of Service due to unbounded memory growth from SctpMessage fragments CVE-2026-47691 — io.netty/netty-resolver-dns: Netty has Insufficient Bailiwick Validation for NS Records CVE-2026-48006 — netty-codec-redis: Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator CVE-2026-48043 — netty-codec-http2: netty-codec-http2: Denial of Service due to resource leak CVE-2026-48059 — netty-codec-haproxy: Netty HAProxy PROXY protocol v2 codec: Denial of Service via memory leak from crafted PROXY protocol headers CVE-2026-49875 — cxf: org.apache.cxf/cxf-core: Apache CXF: Information disclosure via out-of-band external entity resolution due to missing JAXP hardening CVE-2026-50010 — netty-handler: Netty: Improper trust manager handling leads to hostname verification bypass CVE-2026-50011 — netty-codec-redis: Netty: Denial of Service via malicious Redis array header CVE-2026-50627 — apache-cxf: org.apache.cxf/cxf-rt-rs-security-oauth2: Apache CXF: Token Confusion/Routing attacks due to improper validation of JWT audience claims CVE-2026-50628 — cxf: org.apache.cxf/cxf-rt-rs-security-oauth2: cxf: Unauthorized access due to logic error in OAuthRequestFilter CVE-2026-50632 — cxf: org.apache.cxf/cxf-rt-transports-jms: Apache CXF: Arbitrary code execution via untrusted JMS configuration CVE-2026-50633 — apache-cxf: org.apache.cxf/cxf-integration-jca: Apache CXF: Arbitrary code execution via JNDI Injection

🔗 References (35)