QwikSec

Security Database

CVE

CWE

Training

CVE-2024-35223

Published: May 23, 2024

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Dapr sends the app token of the invoker app instead of the app token of the invoked app. This causes of a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This vulnerability impacts Dapr users who use Dapr as a gRPC proxy for remote service invocation as well as the Dapr App API token functionality. An attacker could exploit this vulnerability to gain access to the app token of the invoker app, potentially compromising security and authentication mechanisms. This vulnerability was patched in version 1.13.3.

Vendor	Product	Versions
dapr	dapr	affected `>= 1.13.0, < 1.13.3`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h

x_refsource_CONFIRM

https://github.com/dapr/dapr/issues/7344

x_refsource_MISC

https://github.com/dapr/dapr/pull/7404

x_refsource_MISC

https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c

x_refsource_MISC

https://github.com/dapr/dapr/releases/tag/v1.13.3

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.