CVE Vulnerability

CVE-2022-21707

wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers. In versions prior to 0.52.2 actors can bypass capability authorization. Actors are normally required to declare their capabilities for inbound invocations, but with this vulnerability actor capability claims are not verified upon receiving invocations. This compromises the security model for actors as they can receive unauthorized invocations from linked capability providers. The problem has been patched in versions `0.52.2` and greater. There is no workaround and users are advised to upgrade to an unaffected version as soon as possible.

5.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

Scope

8.1 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/wasmCloud/wasmcloud-otp/security/advisories/GHSA-2cmx-rr54-88g5 Third Party Advisory
https://github.com/wasmCloud/wasmcloud-otp/commit/fd07262074b98b06106a31fd1957dc2319d438a5 Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:wasmcloud:host_runtime:*:*:*:*:*:*:*:*
Information

Published : 2022-01-21 11:15

Updated : 2022-01-28 03:08

NVD link : CVE-2022-21707

Mitre link : CVE-2022-21707

Products Affected
No products.
CWE
CWE-863