[FP]: Camel Components Not Deployed

[er-balaji]

Package URl

pkg:maven/org.apache.camel/camel-core@3.22.4 (base only — affected modules absent)

CPE

cpe:2.3:a:apache:camel:3.22.4:::::::*

CVE

CVE-2025-30177, CVE-2026-25747, CVE-2026-27172, CVE-2026-33454, CVE-2026-40473, CVE-2026-40860, CVE-2026-47323

ODC Integration

None

ODC Version

12.2.1

Description

False positive: The scanner flags Camel core JARs for CVEs that only affect specific Camel components which are not part of the deployment:

CVE	Required Component	Deployed?
CVE-2025-30177	camel-undertow	NO
CVE-2026-25747	camel-consul	NO
CVE-2026-27172	camel-cxf-transport	NO
CVE-2026-33454	camel-mail	NO
CVE-2026-40473	camel-knative-http	NO
CVE-2026-40860	camel-cxf-rest	NO
CVE-2026-47323	camel-consul	NO

Only camel-core, camel-kafka, camel-timer, camel-direct, camel-seda are deployed. The vulnerable camel-undertow/consul/cxf/mail/knative modules are not bundled in the Karaf feature/KAR.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/dependency-check/DependencyCheck/actions/runs/27366476505

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/dependency-check/DependencyCheck/actions/runs/27366768278

[chadlwilson]

NVD does not match/manage vulnerabilities at a per-artifact level of granularity and Camel releases everything simultaneously with the same versions, so there is nothing that ODC can do here.

Note how https://nvd.nist.gov/vuln/detail/CVE-2025-30177 is linked to apache:camel .