Executive Summary

Informations
Name CVE-2024-35223 First vendor Publication 2024-05-23
Vendor Cve Last vendor Modification 2024-05-24

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Dapr sends the app token of the invoker app instead of the app token of the invoked app. This causes of a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This vulnerability impacts Dapr users who use Dapr as a gRPC proxy for remote service invocation as well as the Dapr App API token functionality. An attacker could exploit this vulnerability to gain access to the app token of the invoker app, potentially compromising security and authentication mechanisms. This vulnerability was patched in version 1.13.3.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35223

Sources (Detail)

https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c
https://github.com/dapr/dapr/issues/7344
https://github.com/dapr/dapr/pull/7404
https://github.com/dapr/dapr/releases/tag/v1.13.3
https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2024-05-24 09:27:27
  • Multiple Updates
2024-05-23 13:27:26
  • First insertion