Vulnerability Details : CVE-2022-21707
wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers. In versions prior to 0.52.2 actors can bypass capability authorization. Actors are normally required to declare their capabilities for inbound invocations, but with this vulnerability actor capability claims are not verified upon receiving invocations. This compromises the security model for actors as they can receive unauthorized invocations from linked capability providers. The problem has been patched in versions `0.52.2` and greater. There is no workaround and users are advised to upgrade to an unaffected version as soon as possible.
Products affected by CVE-2022-21707
- cpe:2.3:a:wasmcloud:host_runtime:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-21707
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 25 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-21707
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:N |
8.0
|
4.9
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
2.8
|
5.2
|
NIST | |
6.3
|
MEDIUM | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N |
2.1
|
4.2
|
GitHub, Inc. |
CWE ids for CVE-2022-21707
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: nvd@nist.gov (Primary)
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2022-21707
-
https://github.com/wasmCloud/wasmcloud-otp/commit/fd07262074b98b06106a31fd1957dc2319d438a5
Merge pull request from GHSA-2cmx-rr54-88g5 · wasmCloud/wasmcloud-otp@fd07262 · GitHubPatch;Third Party Advisory
-
https://github.com/wasmCloud/wasmcloud-otp/security/advisories/GHSA-2cmx-rr54-88g5
wasmCloud actors without signed capabilities can receive unauthorized invocations · Advisory · wasmCloud/wasmcloud-otp · GitHubThird Party Advisory
Jump to