Dapr 1.10.9 [security]
This update contains security fixes:
- Security: API token authentication bypass in HTTP endpoints (Security advisory)
- Security: Potential DoS in avro dependency (CVE-2023-37475)
Security: API token authentication bypass in HTTP endpoints
Problem
A moderate-severity vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HTTP request.
Impact
The vulnerability impacts all users on Dapr <=1.10.9 and <=1.11.2 who are using API token authentication.
Root cause
The Dapr sidecar allowed all requests containing /healthz in the URL (including query string) to bypass API token authentication.
Solution
We have changed the API token authentication middleware to allow bypassing the authentication only for healthcheck endpoints more strictly.
Security: Potential DoS in avro dependency (CVE-2023-37475)
Problem
An issue in the third-party avro dependency could cause a resource exhaustion and a DoS for Dapr.
Impact
This issue impacts users of Dapr that use the Pulsar components.
Root cause
The issue was in a third-party dependency.
Solution
We have upgraded the avro dependency to version 2.13.0 which contains a fix for the reported issue.