Podatność CVE-2022-21707


Publikacja: 2022-01-21   Modyfikacja: 2022-01-22

Opis:
wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers. In versions prior to 0.52.2 actors can bypass capability authorization. Actors are normally required to declare their capabilities for inbound invocations, but with this vulnerability actor capability claims are not verified upon receiving invocations. This compromises the security model for actors as they can receive unauthorized invocations from linked capability providers. The problem has been patched in versions `0.52.2` and greater. There is no workaround and users are advised to upgrade to an unaffected version as soon as possible.

Typ:

CWE-863

(Incorrect Authorization)

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:N)

Ogólna skala CVSS
Znaczenie
Łatwość wykorzystania
5.5/10
4.9/10
8/10
Wymagany dostęp
Złożoność ataku
Autoryzacja
Zdalny
Niska
Jednorazowa
Wpływ na poufność
Wpływ na integralność
Wpływ na dostępność
Częściowy
Częściowy
Brak
Affected software
Wasmcloud -> Host runtime 

 Referencje:
https://github.com/wasmCloud/wasmcloud-otp/security/advisories/GHSA-2cmx-rr54-88g5
https://github.com/wasmCloud/wasmcloud-otp/commit/fd07262074b98b06106a31fd1957dc2319d438a5

Copyright 2024, cxsecurity.com

 

Back to Top