CVE-2022-38817: Vulnerabilities exist for unauthorized access to sensitive information and application closure · Issue #222 · dapr/dashboard

Detail

According to analysis and research, malicious attackers can use this unauthorized access vulnerability to obtain plaintext configuration information of redis, mongodb, rabbitmq and other applications on the cloud without authorization, and can further use these configuration information to obtain sensitive data on the cloud. In addition, the Dapr Dashboard configured with the Actions option (v0.2.0 verified) can be closed by a malicious attacker without authorization, causing business interruption.

Example

Repair

Temporary Mitigation: Strict whitelist access controls can be applied to affected assets.
Solution: Add login authentication for Dapr Dashboard.