Ziyang Chen

**Name of the Vulnerable Software and Affected Versions** Apache Camel versions 3.0.0 through 3.21.3 Apache Camel versions 3.22.0 Apache Camel versions 4.0.0 through 4.0.3 Apache Camel versions 4.1.0 through 4.3.x **Description** The issue is related to the deserialization of untrusted data in the Apache Camel SQL Component, which can allow a remote attacker to execute arbitrary code. **Recommendations** Upgrade to version 4.4.0 to fix the issue. If on the 4.0.x LTS releases stream, upgrade to 4.0.4. If on 3.x, move to 3.21.4 or 3.22.1.

**Name of the Vulnerable Software and Affected Versions** Apache bRPC versions 0.9.5 through 1.7.0 **Description** The issue arises from the `http parser` not complying with the RFC-7230 HTTP 1.1 specification, specifically when handling messages with both `Transfer-Encoding` and `Content-Length` header fields. This can lead to request smuggling or response splitting attacks. In a scenario where a bRPC-made HTTP server on the backend receives requests in a persistent connection from a frontend server that uses `Transfer-Encoding` to parse requests, an attacker can smuggle a request into the connection to the backend server. **Recommendations** For Apache bRPC versions 0.9.5 through 1.7.0, upgrade to version 1.8.0, which fixes this issue. As a temporary workaround, consider applying the patch available at https://github.com/apache/brpc/pull/2518 to mitigate the risk of exploitation.