Skip to content

[FP]: Enterprise Shaded Jar Misidentified as Apache Camel 1.x #8597

Closed as not planned
Closed as not planned
[FP]: Enterprise Shaded Jar Misidentified as Apache Camel 1.x#8597
Labels
FP Reportpending more information
@mnika93

Description

@mnika93
mnika93
opened on Jun 11, 2026

Package URl

Enterprise jar that shades Apache camel Kafka version 3.22.4

CPE

cpe:2.3:a:apache:camel:1.139.4.2:::::::*

CVE

CVE-2013-4330, CVE-2014-0002, CVE-2014-0003, CVE-2015-5344, CVE-2016-8750, CVE-2017-3159, CVE-2017-5643, CVE-2018-17196, CVE-2019-0188, CVE-2025-27636

ODC Integration

None

ODC Version

12.2.1

Description

False positive: The scanner matches an enterprise-internal OSGi bundle named including camel against CPE apache:camel:1.139.4.2 because:

  1. The word "camel" appears in the artifact name
  2. The internal version 1.139.4-2 is interpreted as Apache Camel version 1.139.4.2

This is an internal OSGi bundle that wraps Apache Camel Kafka functionality. The actual Apache Camel version shaded inside is org.apache.camel:camel-kafka:3.22.4 (confirmed via the shaded dependency metadata in the same report). All listed CVEs affect Apache Camel versions prior to 3.x and were fixed years ago — Camel 3.22.4 is not vulnerable to any of them.

The CPE cpe:2.3:a:apache:camel:1.139.4.2 does not correspond to any real Apache Camel release. The CPE analyzer incorrectly derived this from the artifact's internal version number.

Metadata

Metadata

Assignees

No one assigned

    Labels

    FP Reportpending more information

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions