Search criteria

4 vulnerabilities by dapr

CVE-2026-59096 (GCVE-0-2026-59096)

Vulnerability from cvelistv5 – Published: 2026-07-02 19:41 – Updated: 2026-07-02 19:41 X_Open Source
VLAI?
Title
Dapr - OIDC Discovery Issuer and JWKS URI Injection via Unvalidated X-Forwarded-Host
Summary
Dapr Sentry's OIDC discovery endpoint derives the issuer and jwks_uri of the /.well-known/openid-configuration document from the request Host, honoring an attacker-controlled X-Forwarded-Host header without validation when no allowed-hosts list is configured (the default), and serves the document with a one-hour public cache lifetime. A remote unauthenticated attacker can poison the discovery document so relying parties performing dynamic (unpinned) discovery fetch the JWKS from an attacker-controlled server, causing attacker-signed JWTs to be accepted. Exploitation requires the OIDC server enabled without a configured jwt-issuer or oidc-allowed-hosts.
CWE
  • CWE-346 - Origin Validation Error
Assigner
Impacted products
Vendor Product Version
dapr dapr Affected: 1.17.0 (semver)
Affected: 1.18.0 (semver)
Create a notification for this product.
Credits
George Chen
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "dapr",
          "repo": "https://github.com/dapr/dapr",
          "vendor": "dapr",
          "versions": [
            {
              "status": "affected",
              "version": "1.17.0",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "1.18.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "George Chen"
        }
      ],
      "datePublic": "2026-05-27T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Dapr Sentry\u0027s OIDC discovery endpoint derives the issuer and jwks_uri of the /.well-known/openid-configuration document from the request Host, honoring an attacker-controlled X-Forwarded-Host header without validation when no allowed-hosts list is configured (the default), and serves the document with a one-hour public cache lifetime. A remote unauthenticated attacker can poison the discovery document so relying parties performing dynamic (unpinned) discovery fetch the JWKS from an attacker-controlled server, causing attacker-signed JWTs to be accepted. Exploitation requires the OIDC server enabled without a configured jwt-issuer or oidc-allowed-hosts."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-346",
              "description": "Origin Validation Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-02T19:41:40.984Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "Fix PR",
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/dapr/dapr/pull/10027"
        },
        {
          "name": "Backport release-1.17",
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/dapr/dapr/pull/10028"
        },
        {
          "name": "Backport release-1.18",
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/dapr/dapr/pull/10029"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/dapr-oidc-discovery-issuer-and-jwks-uri-injection-via-unvalidated-x-forwarded-host"
        }
      ],
      "tags": [
        "x_open-source"
      ],
      "title": "Dapr - OIDC Discovery Issuer and JWKS URI Injection via Unvalidated X-Forwarded-Host",
      "x_generator": {
        "engine": "vulncheck-endgame"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-59096",
    "datePublished": "2026-07-02T19:41:40.984Z",
    "dateReserved": "2026-07-02T15:38:18.928Z",
    "dateUpdated": "2026-07-02T19:41:40.984Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-41491 (GCVE-0-2026-41491)

Vulnerability from cvelistv5 – Published: 2026-05-08 13:11 – Updated: 2026-05-08 13:58
VLAI?
Title
Dapr: Service Invocation path traversal ACL bypass
Summary
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5.
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-284 - Improper Access Control
Assigner
References
Impacted products
Vendor Product Version
dapr dapr Affected: >= 1.3.0, < 1.15.14
Affected: >= 1.16.0-rc.1, < 1.16.14
Affected: >= 1.17.0-rc.1, < 1.17.5
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41491",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T13:58:49.341365Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T13:58:57.832Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "dapr",
          "vendor": "dapr",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.3.0, \u003c 1.15.14"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.16.0-rc.1, \u003c 1.16.14"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.17.0-rc.1, \u003c 1.17.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T13:11:13.128Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463"
        },
        {
          "name": "https://github.com/dapr/dapr/pull/9589",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dapr/dapr/pull/9589"
        }
      ],
      "source": {
        "advisory": "GHSA-85gx-3qv6-4463",
        "discovery": "UNKNOWN"
      },
      "title": "Dapr: Service Invocation path traversal ACL bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41491",
    "datePublished": "2026-05-08T13:11:13.128Z",
    "dateReserved": "2026-04-20T16:14:19.008Z",
    "dateUpdated": "2026-05-08T13:58:57.832Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-35223 (GCVE-0-2024-35223)

Vulnerability from cvelistv5 – Published: 2024-05-23 08:47 – Updated: 2024-08-02 03:07
VLAI?
Title
Dapr API Token Exposure
Summary
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Dapr sends the app token of the invoker app instead of the app token of the invoked app. This causes of a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This vulnerability impacts Dapr users who use Dapr as a gRPC proxy for remote service invocation as well as the Dapr App API token functionality. An attacker could exploit this vulnerability to gain access to the app token of the invoker app, potentially compromising security and authentication mechanisms. This vulnerability was patched in version 1.13.3.
CWE
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
Impacted products
Vendor Product Version
dapr dapr Affected: >= 1.13.0, < 1.13.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:dapr:dapr:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "affected",
            "product": "dapr",
            "vendor": "dapr",
            "versions": [
              {
                "lessThanOrEqual": "1.13.3",
                "status": "affected",
                "version": "1.11.2",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35223",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-23T20:26:00.242110Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:34:03.746Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:07:46.803Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h"
          },
          {
            "name": "https://github.com/dapr/dapr/issues/7344",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/dapr/dapr/issues/7344"
          },
          {
            "name": "https://github.com/dapr/dapr/pull/7404",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/dapr/dapr/pull/7404"
          },
          {
            "name": "https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c"
          },
          {
            "name": "https://github.com/dapr/dapr/releases/tag/v1.13.3",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/dapr/dapr/releases/tag/v1.13.3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "dapr",
          "vendor": "dapr",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.13.0, \u003c 1.13.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Dapr sends the app token of the invoker app instead of the app token of the invoked app. This causes of a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This vulnerability impacts Dapr users who use Dapr as a gRPC proxy for remote service invocation as well as the Dapr App API token functionality. An attacker could exploit this vulnerability to gain access to the app token of the invoker app, potentially compromising security and authentication mechanisms. This vulnerability was patched in version 1.13.3.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-23T08:47:40.289Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h"
        },
        {
          "name": "https://github.com/dapr/dapr/issues/7344",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dapr/dapr/issues/7344"
        },
        {
          "name": "https://github.com/dapr/dapr/pull/7404",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dapr/dapr/pull/7404"
        },
        {
          "name": "https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c"
        },
        {
          "name": "https://github.com/dapr/dapr/releases/tag/v1.13.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dapr/dapr/releases/tag/v1.13.3"
        }
      ],
      "source": {
        "advisory": "GHSA-284c-x8m7-9w5h",
        "discovery": "UNKNOWN"
      },
      "title": "Dapr API Token Exposure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-35223",
    "datePublished": "2024-05-23T08:47:40.289Z",
    "dateReserved": "2024-05-14T15:39:41.784Z",
    "dateUpdated": "2024-08-02T03:07:46.803Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-37918 (GCVE-0-2023-37918)

Vulnerability from cvelistv5 – Published: 2023-07-21 20:08 – Updated: 2024-10-10 18:40
VLAI?
Title
API token authentication bypass in HTTP endpoints in Dapr
Summary
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. A vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HTTP request. Users who leverage API token authentication are encouraged to upgrade Dapr to 1.10.9 or to 1.11.2. This vulnerability impacts Dapr users who have configured API token authentication. An attacker could craft a request that is always allowed by the Dapr sidecar over HTTP, even if the `dapr-api-token` in the request is invalid or missing. The issue has been fixed in Dapr 1.10.9 or to 1.11.2. There are no known workarounds for this vulnerability.
CWE
  • CWE-287 - Improper Authentication
Assigner
Impacted products
Vendor Product Version
dapr dapr Affected: < 1.11.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T17:23:27.692Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/dapr/dapr/security/advisories/GHSA-59m6-82qm-vqgj",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/dapr/dapr/security/advisories/GHSA-59m6-82qm-vqgj"
          },
          {
            "name": "https://github.com/dapr/dapr/commit/83ca1abb11ffe34211db55dcd36d96b94252827a",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/dapr/dapr/commit/83ca1abb11ffe34211db55dcd36d96b94252827a"
          },
          {
            "name": "https://docs.dapr.io/operations/security/api-token/",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.dapr.io/operations/security/api-token/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:dapr:dapr:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "dapr",
            "vendor": "dapr",
            "versions": [
              {
                "lessThan": "1.11.2",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-37918",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-10T18:20:55.913377Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-10T18:40:09.738Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "dapr",
          "vendor": "dapr",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.11.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. A vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HTTP request. Users who leverage API token authentication are encouraged to upgrade Dapr to 1.10.9 or to 1.11.2. This vulnerability impacts Dapr users who have configured API token authentication. An attacker could craft a request that is always allowed by the Dapr sidecar over HTTP, even if the `dapr-api-token` in the request is invalid or missing. The issue has been fixed in Dapr 1.10.9 or to 1.11.2. There are no known workarounds for this vulnerability.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-07-21T20:08:00.768Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/dapr/dapr/security/advisories/GHSA-59m6-82qm-vqgj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/dapr/dapr/security/advisories/GHSA-59m6-82qm-vqgj"
        },
        {
          "name": "https://github.com/dapr/dapr/commit/83ca1abb11ffe34211db55dcd36d96b94252827a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dapr/dapr/commit/83ca1abb11ffe34211db55dcd36d96b94252827a"
        },
        {
          "name": "https://docs.dapr.io/operations/security/api-token/",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.dapr.io/operations/security/api-token/"
        }
      ],
      "source": {
        "advisory": "GHSA-59m6-82qm-vqgj",
        "discovery": "UNKNOWN"
      },
      "title": "API token authentication bypass in HTTP endpoints in Dapr"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-37918",
    "datePublished": "2023-07-21T20:08:00.768Z",
    "dateReserved": "2023-07-10T17:51:29.612Z",
    "dateUpdated": "2024-10-10T18:40:09.738Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}