CVE-2021-37694 – @asyncapi/java-spring-cloud-stream-template

Package

Manager: npm
Name: @asyncapi/java-spring-cloud-stream-template
Vulnerable Version: >=0 <0.7.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

EPSS: 0.00206 pctl0.43087

Details

Code injection issue for java-spring-cloud-stream-template The following was initially reported by @jonaslagoni: Given the following command: `ag ./dummy.json @asyncapi/java-spring-cloud-stream-template --force-write --output ./output` With the following AsyncAPI document: ```json { "asyncapi": "2.0.0", "info": { "title": "Streetlight", "version": "1.0.0" }, "defaultContentType": "json", "channels": { "security/audit/channel": { "description": "Channel for the turn on command which should turn on the streetlight", "parameters": { "streetlight_id": { "description": "The ID of the streetlight", "schema": { "type": "string" } } }, "publish": { "operationId": "test() { System.out.println(\"injected\"); return test(0); }\n public Consumer<CustomClass> someothername", "message": { "name": "TurnonCommand", "payload": { "$ref": "#/components/schemas/CustomClass" } } } } }, "components": { "schemas" : { "CustomClass": { "type": "object", "properties": { "prop": { "type": "string" } } } } } } ``` Which changes the following output: ```java ... @Bean public Consumer<CustomClass> test() { // Add business logic here. return null; } ... ``` To ```java ... @Bean public Consumer<CustomClass> test() { System.out.println("injected"); return someothername(); } public Consumer<CustomClass> someothername() { // Add business logic here. return null; } ... ```

Metadata

Created: 2021-08-25T14:45:52Z
Modified: 2021-08-24T18:50:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-xj6r-2jpm-qvxp/GHSA-xj6r-2jpm-qvxp.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-xj6r-2jpm-qvxp
Finding: F422
Auto approve: 1