CVE-2024-35223

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Dapr sends the app token of the invoker app instead of the app token of the invoked app. This causes of a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This vulnerability impacts Dapr users who use Dapr as a gRPC proxy for remote service invocation as well as the Dapr App API token functionality. An attacker could exploit this vulnerability to gain access to the app token of the invoker app, potentially compromising security and authentication mechanisms. This vulnerability was patched in version 1.13.3.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c
https://github.com/dapr/dapr/issues/7344
https://github.com/dapr/dapr/pull/7404
https://github.com/dapr/dapr/releases/tag/v1.13.3
https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h

Configurations

No configuration.

History

No history.

Information

Published : 2024-05-23 09:15

Updated : 2024-05-24 01:15

NVD link : CVE-2024-35223

Mitre link : CVE-2024-35223

CVE.ORG link : CVE-2024-35223

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2024-35223", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-05-23T09:15:09.890", "references": [{"url": "https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c", "source": "security-advisories@github.com"}, {"url": "https://github.com/dapr/dapr/issues/7344", "source": "security-advisories@github.com"}, {"url": "https://github.com/dapr/dapr/pull/7404", "source": "security-advisories@github.com"}, {"url": "https://github.com/dapr/dapr/releases/tag/v1.13.3", "source": "security-advisories@github.com"}, {"url": "https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Dapr sends the app token of the invoker app instead of the app token of the invoked app. This causes of a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This vulnerability impacts Dapr users who use Dapr as a gRPC proxy for remote service invocation as well as the Dapr App API token functionality. An attacker could exploit this vulnerability to gain access to the app token of the invoker app, potentially compromising security and authentication mechanisms. This vulnerability was patched in version 1.13.3.\n"}, {"lang": "es", "value": "Dapr es un tiempo de ejecuci\u00f3n port\u00e1til, controlado por eventos, para crear aplicaciones distribuidas en la nube y en el per\u00edmetro. Dapr env\u00eda el token de aplicaci\u00f3n de la aplicaci\u00f3n invocadora en lugar del token de aplicaci\u00f3n de la aplicaci\u00f3n invocada. Esto provoca una fuga del token de aplicaci\u00f3n de la aplicaci\u00f3n invocadora a la aplicaci\u00f3n invocada cuando se usa Dapr como proxy gRPC para la invocaci\u00f3n de servicios remotos. Esta vulnerabilidad afecta a los usuarios de Dapr que usan Dapr como proxy gRPC para la invocaci\u00f3n de servicios remotos, as\u00ed como a la funcionalidad del token API de la aplicaci\u00f3n Dapr. Un atacante podr\u00eda aprovechar esta vulnerabilidad para obtener acceso al token de la aplicaci\u00f3n invocadora, lo que podr\u00eda comprometer los mecanismos de seguridad y autenticaci\u00f3n. Esta vulnerabilidad fue parcheada en la versi\u00f3n 1.13.3."}], "lastModified": "2024-05-24T01:15:30.977", "sourceIdentifier": "security-advisories@github.com"}