CVE-2021-37694

Name of the Vulnerable Software and Affected Versions @asyncapi/java-spring-cloud-stream-template versions prior to 0.7.0

Description The issue allows for arbitrary code injection when an attacker controls the AsyncAPI document. This can be achieved by manipulating the operationId field in the AsyncAPI document, which can lead to the injection of malicious code. For example, an attacker can modify the operationId to include malicious Java code, such as test() { System.out.println("injected"); return test(0); }, which can be executed when the microservice is generated. The components/schemas/CustomClass schema can also be used to inject malicious code.

Recommendations For versions prior to 0.7.0, update to version 0.7.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the AsyncAPI document to prevent attackers from controlling it. Additionally, avoid using the operationId field to execute user-controlled code.