Vulnerabilities > CVE-2022-21707 - Missing Authorization vulnerability in Wasmcloud Host Runtime

CVSS 8.1 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

wasmcloud

CWE-862

NVD

Published: 2022-01-21

Updated: 2023-07-24

Summary

wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers. In versions prior to 0.52.2 actors can bypass capability authorization. Actors are normally required to declare their capabilities for inbound invocations, but with this vulnerability actor capability claims are not verified upon receiving invocations. This compromises the security model for actors as they can receive unauthorized invocations from linked capability providers. The problem has been patched in versions `0.52.2` and greater. There is no workaround and users are advised to upgrade to an unaffected version as soon as possible.

Vulnerable Configurations

Part	Description	Count
Application	Wasmcloud Wasmcloud Host Runtime 0.50.0 Wasmcloud Host Runtime 0.50.1 Wasmcloud Host Runtime 0.50.2 Wasmcloud Host Runtime 0.50.3 Wasmcloud Host Runtime 0.51.0 Wasmcloud Host Runtime 0.51.1 Wasmcloud Host Runtime 0.51.2 Wasmcloud Host Runtime 0.51.3 Wasmcloud Host Runtime 0.51.4 Wasmcloud Host Runtime 0.52.0 Wasmcloud Host Runtime 0.52.1	11

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References