CVE-2023-37918 API token authentication bypass in HTTP endpoints in Dapr

2023-07-2120:08:00

CWE-287

GitHub_M

www.cve.org

cve-2023-37918

api token authentication

dapr

http endpoints

vulnerability

upgrade

fixed

security concern

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

33.8%

JSON

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. A vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HTTP request. Users who leverage API token authentication are encouraged to upgrade Dapr to 1.10.9 or to 1.11.2. This vulnerability impacts Dapr users who have configured API token authentication. An attacker could craft a request that is always allowed by the Dapr sidecar over HTTP, even if the dapr-api-token in the request is invalid or missing. The issue has been fixed in Dapr 1.10.9 or to 1.11.2. There are no known workarounds for this vulnerability.

CNA Affected

[
  {
    "vendor": "dapr",
    "product": "dapr",
    "versions": [
      {
        "version": "< 1.11.2",
        "status": "affected"
      }
    ]
  }
]