8.1
CVE-2022-21707
- EPSS 0.95%
- Veröffentlicht 21.01.2022 23:15:08
- Zuletzt bearbeitet 21.11.2024 06:45:16
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginIncorrect Authorization in wasmCloud
wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers. In versions prior to 0.52.2 actors can bypass capability authorization. Actors are normally required to declare their capabilities for inbound invocations, but with this vulnerability actor capability claims are not verified upon receiving invocations. This compromises the security model for actors as they can receive unauthorized invocations from linked capability providers. The problem has been patched in versions `0.52.2` and greater. There is no workaround and users are advised to upgrade to an unaffected version as soon as possible.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Wasmcloud ≫ Host Runtime Version < 0.52.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.95% | 0.565 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.1 | 2.8 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
|
| nvd@nist.gov | 5.5 | 8 | 4.9 |
AV:N/AC:L/Au:S/C:P/I:P/A:N
|
| security-advisories@github.com | 6.3 | 2.1 | 4.2 |
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
|
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-863 Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
https://github.com/wasmCloud/wasmcloud-otp/commit/fd07262074b98b06106a31fd1957dc2319d438a5
https://github.com/wasmCloud/wasmcloud-otp/security/advisories/GHSA-2cmx-rr54-88g5