Home > Vulnerability Database > CVE-2024-35223

Mend.io Vulnerability Database

CVE-2024-35223

Good to know:

Date: May 23, 2024

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Dapr sends the app token of the invoker app instead of the app token of the invoked app. This causes of a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This vulnerability impacts Dapr users who use Dapr as a gRPC proxy for remote service invocation as well as the Dapr App API token functionality. An attacker could exploit this vulnerability to gain access to the app token of the invoker app, potentially compromising security and authentication mechanisms. This vulnerability was patched in version 1.13.3.

Language: Go

Severity Score

5.3

Related Resources (8)

Url: https://github.com/dapr/dapr/issues/7344

Url: https://github.com/dapr/dapr/releases/tag/v1.13.3

Url: https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c

Url: https://github.com/dapr/dapr

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-35223

Url: https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h

Url: https://github.com/dapr/dapr/pull/7404

Url: https://www.mend.io/vulnerability-database/CVE-2024-35223

Severity Score

5.3

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Top Fix

Upgrade Version

Upgrade to version dapr/dapr-v1.13.3

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-35223

Good to know:

Date: May 23, 2024

Language: Go

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?