wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers. In versions prior to 0.52.2 actors can bypass capability authorization. Actors are normally required to declare their capabilities for inbound invocations, but with this vulnerability actor capability claims are not verified upon receiving invocations. This compromises the security model for actors as they can receive unauthorized invocations from linked capability providers. The problem has been patched in versions `0.52.2` and greater. There is no workaround and users are advised to upgrade to an unaffected version as soon as possible.
References
Link | Resource |
---|---|
https://github.com/wasmCloud/wasmcloud-otp/commit/fd07262074b98b06106a31fd1957dc2319d438a5 | Patch Third Party Advisory |
https://github.com/wasmCloud/wasmcloud-otp/security/advisories/GHSA-2cmx-rr54-88g5 | Third Party Advisory |
https://github.com/wasmCloud/wasmcloud-otp/commit/fd07262074b98b06106a31fd1957dc2319d438a5 | Patch Third Party Advisory |
https://github.com/wasmCloud/wasmcloud-otp/security/advisories/GHSA-2cmx-rr54-88g5 | Third Party Advisory |
Configurations
History
21 Nov 2024, 06:45
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/wasmCloud/wasmcloud-otp/commit/fd07262074b98b06106a31fd1957dc2319d438a5 - Patch, Third Party Advisory | |
References | () https://github.com/wasmCloud/wasmcloud-otp/security/advisories/GHSA-2cmx-rr54-88g5 - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : 5.5
v3 : 6.3 |
24 Jul 2023, 13:52
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-862 |
28 Jan 2022, 15:08
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/wasmCloud/wasmcloud-otp/commit/fd07262074b98b06106a31fd1957dc2319d438a5 - Patch, Third Party Advisory | |
References | (CONFIRM) https://github.com/wasmCloud/wasmcloud-otp/security/advisories/GHSA-2cmx-rr54-88g5 - Third Party Advisory | |
CPE | cpe:2.3:a:wasmcloud:host_runtime:*:*:*:*:*:*:*:* | |
CWE | CWE-863 | |
CVSS |
v2 : v3 : |
v2 : 5.5
v3 : 8.1 |
21 Jan 2022, 23:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-01-21 23:15
Updated : 2024-11-21 06:45
NVD link : CVE-2022-21707
Mitre link : CVE-2022-21707
CVE.ORG link : CVE-2022-21707
JSON object : View
Products Affected
wasmcloud
- host_runtime