nvd-json-data-feeds/CVE-2024/CVE-2024-352xx/CVE-2024-35223.json

{
  "id": "CVE-2024-35223",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2024-05-23T09:15:09.890",
  "lastModified": "2024-05-24T01:15:30.977",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Dapr sends the app token of the invoker app instead of the app token of the invoked app. This causes of a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This vulnerability impacts Dapr users who use Dapr as a gRPC proxy for remote service invocation as well as the Dapr App API token functionality. An attacker could exploit this vulnerability to gain access to the app token of the invoker app, potentially compromising security and authentication mechanisms. This vulnerability was patched in version 1.13.3.\n"
    },
    {
      "lang": "es",
      "value": "Dapr es un tiempo de ejecuci\u00f3n port\u00e1til, controlado por eventos, para crear aplicaciones distribuidas en la nube y en el per\u00edmetro. Dapr env\u00eda el token de aplicaci\u00f3n de la aplicaci\u00f3n invocadora en lugar del token de aplicaci\u00f3n de la aplicaci\u00f3n invocada. Esto provoca una fuga del token de aplicaci\u00f3n de la aplicaci\u00f3n invocadora a la aplicaci\u00f3n invocada cuando se usa Dapr como proxy gRPC para la invocaci\u00f3n de servicios remotos. Esta vulnerabilidad afecta a los usuarios de Dapr que usan Dapr como proxy gRPC para la invocaci\u00f3n de servicios remotos, as\u00ed como a la funcionalidad del token API de la aplicaci\u00f3n Dapr. Un atacante podr\u00eda aprovechar esta vulnerabilidad para obtener acceso al token de la aplicaci\u00f3n invocadora, lo que podr\u00eda comprometer los mecanismos de seguridad y autenticaci\u00f3n. Esta vulnerabilidad fue parcheada en la versi\u00f3n 1.13.3."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/dapr/dapr/issues/7344",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/dapr/dapr/pull/7404",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/dapr/dapr/releases/tag/v1.13.3",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h",
      "source": "security-advisories@github.com"
    }
  ]
}