Description

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Dapr sends the app token of the invoker app instead of the app token of the invoked app. This causes of a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This vulnerability impacts Dapr users who use Dapr as a gRPC proxy for remote service invocation as well as the Dapr App API token functionality. An attacker could exploit this vulnerability to gain access to the app token of the invoker app, potentially compromising security and authentication mechanisms. This vulnerability was patched in version 1.13.3.

INFO

Published Date :

2024-05-23T08:47:40.289Z

Last Modified :

2024-08-02T03:07:46.803Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-35223 vulnerability.

Vendors Products
Dapr
  • Dapr
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-35223.

URL Resource
https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c cve-icon cve-icon
https://github.com/dapr/dapr/issues/7344 cve-icon cve-icon
https://github.com/dapr/dapr/pull/7404 cve-icon cve-icon
https://github.com/dapr/dapr/releases/tag/v1.13.3 cve-icon cve-icon
https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact