Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-38817: Vulnerabilities exist for unauthorized access to sensitive information and application closure · Issue #222 · dapr/dashboard

Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data.

CVE
#vulnerability#redis#auth#mongo

Detail

According to analysis and research, malicious attackers can use this unauthorized access vulnerability to obtain plaintext configuration information of redis, mongodb, rabbitmq and other applications on the cloud without authorization, and can further use these configuration information to obtain sensitive data on the cloud. In addition, the Dapr Dashboard configured with the Actions option (v0.2.0 verified) can be closed by a malicious attacker without authorization, causing business interruption.

Example

Repair

Temporary Mitigation: Strict whitelist access controls can be applied to affected assets.
Solution: Add login authentication for Dapr Dashboard.

Related news

GHSA-2w6m-q946-399r: Dapr Dashboard vulnerable to Incorrect Access Control

Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907