CVE-2021-37694

State: PUBLISHED · Published: 2021-08-11 · Updated: 2024-08-04 · Assigner: GitHub_M

Description

@asyncapi/java-spring-cloud-stream-template generates a Spring Cloud Stream (SCSt) microservice. In versions prior to 0.7.0 arbitrary code injection was possible when an attacker controls the AsyncAPI document. An example is provided in GHSA-xj6r-2jpm-qvxp. There are no mitigations available and all users are advised to update.

CWE

CWE-94 — CWE-94: Improper Control of Generation of Code ('Code Injection')

Affected

asyncapi / java-spring-cloud-stream-template — v=< 0.7.0 [affected]

CVSS

3.1 score=8.7 severity=HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

References

https://github.com/asyncapi/java-spring-cloud-stream-template/security/advisories/GHSA-xj6r-2jpm-qvxp x_refsource_CONFIRM

Source

cvelistV5-main/cves/2021/37xxx/CVE-2021-37694.json