CVE-2024-35223: Dapr API Token Exposure

May 22, 2024

A vulnerability has been found in Dapr that causes a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This issue arises because Dapr sends the app token of the invoker app instead of the app token of the invoked app.

Users who leverage Dapr for gRPC proxy service invocation and are using the app API token feature are encouraged to upgrade Dapr to version 1.13.3.

References

github.com/advisories/GHSA-284c-x8m7-9w5h
github.com/dapr/dapr
github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c
github.com/dapr/dapr/releases/tag/v1.13.3
github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h
nvd.nist.gov/vuln/detail/CVE-2024-35223

Code Behaviors & Features

Detect and mitigate CVE-2024-35223 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →