CVE-2024-35223 - Vulnerability Details - OpenCVE

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Dapr sends the app token of the invoker app instead of the app token of the invoked app. This causes of a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This vulnerability impacts Dapr users who use Dapr as a gRPC proxy for remote service invocation as well as the Dapr App API token functionality. An attacker could exploit this vulnerability to gain access to the app token of the invoker app, potentially compromising security and authentication mechanisms. This vulnerability was patched in version 1.13.3.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Dapr	Dapr

No data.

No data.

References

Link	Providers
https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c
https://github.com/dapr/dapr/issues/7344
https://github.com/dapr/dapr/pull/7404
https://github.com/dapr/dapr/releases/tag/v1.13.3
https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-05-23T08:47:40.289Z

Updated: 2024-08-02T03:07:46.803Z

Reserved: 2024-05-14T15:39:41.784Z

Link: CVE-2024-35223

Vulnrichment

Updated: 2024-05-23T20:32:16.055Z

NVD

Status : Awaiting Analysis

Published: 2024-05-23T09:15:09.890

Modified: 2024-11-21T09:19:58.247

Link: CVE-2024-35223

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-35223", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-14T15:39:41.784Z", "datePublished": "2024-05-23T08:47:40.289Z", "dateUpdated": "2024-08-02T03:07:46.803Z"}, "containers": {"cna": {"title": "Dapr API Token Exposure", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h"}, {"name": "https://github.com/dapr/dapr/issues/7344", "tags": ["x_refsource_MISC"], "url": "https://github.com/dapr/dapr/issues/7344"}, {"name": "https://github.com/dapr/dapr/pull/7404", "tags": ["x_refsource_MISC"], "url": "https://github.com/dapr/dapr/pull/7404"}, {"name": "https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c", "tags": ["x_refsource_MISC"], "url": "https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c"}, {"name": "https://github.com/dapr/dapr/releases/tag/v1.13.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/dapr/dapr/releases/tag/v1.13.3"}], "affected": [{"vendor": "dapr", "product": "dapr", "versions": [{"version": ">= 1.13.0, < 1.13.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-23T08:47:40.289Z"}, "descriptions": [{"lang": "en", "value": "Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Dapr sends the app token of the invoker app instead of the app token of the invoked app. This causes of a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This vulnerability impacts Dapr users who use Dapr as a gRPC proxy for remote service invocation as well as the Dapr App API token functionality. An attacker could exploit this vulnerability to gain access to the app token of the invoker app, potentially compromising security and authentication mechanisms. This vulnerability was patched in version 1.13.3.\n"}], "source": {"advisory": "GHSA-284c-x8m7-9w5h", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-35223", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-23T20:26:00.242110Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:dapr:dapr:*:*:*:*:*:*:*:*"], "vendor": "dapr", "product": "dapr", "versions": [{"status": "affected", "version": "1.11.2", "versionType": "custom", "lessThanOrEqual": "1.13.3"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:34:03.746Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:07:46.803Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h"}, {"name": "https://github.com/dapr/dapr/issues/7344", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dapr/dapr/issues/7344"}, {"name": "https://github.com/dapr/dapr/pull/7404", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dapr/dapr/pull/7404"}, {"name": "https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c"}, {"name": "https://github.com/dapr/dapr/releases/tag/v1.13.3", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dapr/dapr/releases/tag/v1.13.3"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-35223", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-14T15:39:41.784Z", "datePublished": "2024-05-23T08:47:40.289Z", "dateUpdated": "2024-06-04T17:34:03.746Z"}, "containers": {"cna": {"title": "Dapr API Token Exposure", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h"}, {"name": "https://github.com/dapr/dapr/issues/7344", "tags": ["x_refsource_MISC"], "url": "https://github.com/dapr/dapr/issues/7344"}, {"name": "https://github.com/dapr/dapr/pull/7404", "tags": ["x_refsource_MISC"], "url": "https://github.com/dapr/dapr/pull/7404"}, {"name": "https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c", "tags": ["x_refsource_MISC"], "url": "https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c"}, {"name": "https://github.com/dapr/dapr/releases/tag/v1.13.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/dapr/dapr/releases/tag/v1.13.3"}], "affected": [{"vendor": "dapr", "product": "dapr", "versions": [{"version": ">= 1.13.0, < 1.13.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-23T08:47:40.289Z"}, "descriptions": [{"lang": "en", "value": "Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Dapr sends the app token of the invoker app instead of the app token of the invoked app. This causes of a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This vulnerability impacts Dapr users who use Dapr as a gRPC proxy for remote service invocation as well as the Dapr App API token functionality. An attacker could exploit this vulnerability to gain access to the app token of the invoker app, potentially compromising security and authentication mechanisms. This vulnerability was patched in version 1.13.3.\n"}], "source": {"advisory": "GHSA-284c-x8m7-9w5h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-35223", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-23T20:26:00.242110Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:dapr:dapr:*:*:*:*:*:*:*:*"], "vendor": "dapr", "product": "dapr", "versions": [{"status": "affected", "version": "1.11.2", "versionType": "custom", "lessThanOrEqual": "1.13.3"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T20:32:16.055Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"descriptions": [{"lang": "en", "value": "Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Dapr sends the app token of the invoker app instead of the app token of the invoked app. This causes of a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This vulnerability impacts Dapr users who use Dapr as a gRPC proxy for remote service invocation as well as the Dapr App API token functionality. An attacker could exploit this vulnerability to gain access to the app token of the invoker app, potentially compromising security and authentication mechanisms. This vulnerability was patched in version 1.13.3.\n"}, {"lang": "es", "value": "Dapr es un tiempo de ejecuci\u00f3n port\u00e1til, controlado por eventos, para crear aplicaciones distribuidas en la nube y en el per\u00edmetro. Dapr env\u00eda el token de aplicaci\u00f3n de la aplicaci\u00f3n invocadora en lugar del token de aplicaci\u00f3n de la aplicaci\u00f3n invocada. Esto provoca una fuga del token de aplicaci\u00f3n de la aplicaci\u00f3n invocadora a la aplicaci\u00f3n invocada cuando se usa Dapr como proxy gRPC para la invocaci\u00f3n de servicios remotos. Esta vulnerabilidad afecta a los usuarios de Dapr que usan Dapr como proxy gRPC para la invocaci\u00f3n de servicios remotos, as\u00ed como a la funcionalidad del token API de la aplicaci\u00f3n Dapr. Un atacante podr\u00eda aprovechar esta vulnerabilidad para obtener acceso al token de la aplicaci\u00f3n invocadora, lo que podr\u00eda comprometer los mecanismos de seguridad y autenticaci\u00f3n. Esta vulnerabilidad fue parcheada en la versi\u00f3n 1.13.3."}], "id": "CVE-2024-35223", "lastModified": "2024-11-21T09:19:58.247", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-23T09:15:09.890", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c"}, {"source": "security-advisories@github.com", "url": "https://github.com/dapr/dapr/issues/7344"}, {"source": "security-advisories@github.com", "url": "https://github.com/dapr/dapr/pull/7404"}, {"source": "security-advisories@github.com", "url": "https://github.com/dapr/dapr/releases/tag/v1.13.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/dapr/dapr/issues/7344"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/dapr/dapr/pull/7404"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/dapr/dapr/releases/tag/v1.13.3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}