CVE-2024-22371: 
Java vulnerability analysis and mitigation

Apache Camel reported a security vulnerability (CVE-2024-22371) involving exposure of sensitive data through a malicious EventFactory and custom ExchangeCreatedEvent. The vulnerability affects Apache Camel versions from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, and from 4.X through 4.3.0. The issue was discovered by Otavio Rodolfo Piske from Apache Software Foundation (Apache Security).

The vulnerability is related to the EventFactory class being vulnerable to temporary file information disclosure. Under specific conditions, it allows exposure of sensitive data. The issue has been assigned a CVSS 3.1 Base Score of 2.9 (LOW) with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-922 (Insecure Storage of Sensitive Information) (NVD Database, Apache Security).

The vulnerability could lead to the exposure of sensitive data through temporary file information disclosure when specific conditions are met (Apache Security).

Users are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4, or 4.4.0, which fixes the issue. For users on the 4.0.x LTS releases stream, upgrading to 4.0.4 is suggested. Users on 3.x are advised to move to either 3.21.4 or 3.22.1 (Apache Security).