Homepage
About Snyk

Arbitrary Code Injection Affecting @asyncapi/java-spring-cloud-stream-template package, versions <0.7.0

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.14% (51st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-ASYNCAPIJAVASPRINGCLOUDSTREAMTEMPLATE-1540471
  • published 12 Aug 2021
  • disclosed 12 Aug 2021
  • credit Jonas Lagoni
Report a new vulnerability Found a mistake?

Introduced: 12 Aug 2021

CVE-2021-37694 Open this link in a new tab
CWE-94 Open this link in a new tab

How to fix?

Upgrade @asyncapi/java-spring-cloud-stream-template to version 0.7.0 or higher.

Overview

@asyncapi/java-spring-cloud-stream-template is a template that generates a Spring Cloud Stream (SCSt) microservice.

Affected versions of this package are vulnerable to Arbitrary Code Injection. Arbitrary code injection is possible when an attacker controls the AsyncAPI document.

References

CVSS Scores

version 3.1
Expand this section

Snyk

8.7 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    High
  • User Interaction (UI)
    None
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    None
Expand this section

NVD

7.8 high