CVE-2022-21707

wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers. In versions prior to 0.52.2 actors can bypass capability authorization. Actors are normally required to declare their capabilities for inbound invocations, but with this vulnerability actor capability claims are not verified upon receiving invocations. This compromises the security model for actors as they can receive unauthorized invocations from linked capability providers. The problem has been patched in versions `0.52.2` and greater. There is no workaround and users are advised to upgrade to an unaffected version as soon as possible.
Configurations

Configuration 1 (hide)

cpe:2.3:a:wasmcloud:host_runtime:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:45

Type Values Removed Values Added
References () https://github.com/wasmCloud/wasmcloud-otp/commit/fd07262074b98b06106a31fd1957dc2319d438a5 - Patch, Third Party Advisory () https://github.com/wasmCloud/wasmcloud-otp/commit/fd07262074b98b06106a31fd1957dc2319d438a5 - Patch, Third Party Advisory
References () https://github.com/wasmCloud/wasmcloud-otp/security/advisories/GHSA-2cmx-rr54-88g5 - Third Party Advisory () https://github.com/wasmCloud/wasmcloud-otp/security/advisories/GHSA-2cmx-rr54-88g5 - Third Party Advisory
CVSS v2 : 5.5
v3 : 8.1
v2 : 5.5
v3 : 6.3

24 Jul 2023, 13:52

Type Values Removed Values Added
CWE CWE-863 CWE-862

28 Jan 2022, 15:08

Type Values Removed Values Added
References (MISC) https://github.com/wasmCloud/wasmcloud-otp/commit/fd07262074b98b06106a31fd1957dc2319d438a5 - (MISC) https://github.com/wasmCloud/wasmcloud-otp/commit/fd07262074b98b06106a31fd1957dc2319d438a5 - Patch, Third Party Advisory
References (CONFIRM) https://github.com/wasmCloud/wasmcloud-otp/security/advisories/GHSA-2cmx-rr54-88g5 - (CONFIRM) https://github.com/wasmCloud/wasmcloud-otp/security/advisories/GHSA-2cmx-rr54-88g5 - Third Party Advisory
CPE cpe:2.3:a:wasmcloud:host_runtime:*:*:*:*:*:*:*:*
CWE CWE-863
CVSS v2 : unknown
v3 : unknown
v2 : 5.5
v3 : 8.1

21 Jan 2022, 23:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-01-21 23:15

Updated : 2024-11-21 06:45


NVD link : CVE-2022-21707

Mitre link : CVE-2022-21707

CVE.ORG link : CVE-2022-21707


JSON object : View

Products Affected

wasmcloud

  • host_runtime
CWE
CWE-863

Incorrect Authorization

CWE-862

Missing Authorization