CVE-2023-37918

Published: Jul 21, 2023

Modified: Oct 10, 2024

PUBLISHED

CVSS v3.1

6.8

MEDIUM

Description

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. A vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HTTP request. Users who leverage API token authentication are encouraged to upgrade Dapr to 1.10.9 or to 1.11.2. This vulnerability impacts Dapr users who have configured API token authentication. An attacker could craft a request that is always allowed by the Dapr sidecar over HTTP, even if the `dapr-api-token` in the request is invalid or missing. The issue has been fixed in Dapr 1.10.9 or to 1.11.2. There are no known workarounds for this vulnerability.

Vendor	Product	Versions
dapr	dapr	affected `< 1.11.2`

Weaknesses (CWE)

CWE-287

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/dapr/dapr/security/advisories/GHSA-59m6-82qm-vqgj

x_refsource_CONFIRM

https://github.com/dapr/dapr/commit/83ca1abb11ffe34211db55dcd36d96b94252827a

x_refsource_MISC

https://docs.dapr.io/operations/security/api-token/

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-37918

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References