CVE-2022-21707

wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers. In versions prior to 0.52.2 actors can bypass capability authorization. Actors are normally required to declare their capabilities for inbound invocations, but with this vulnerability actor capability claims are not verified upon receiving invocations. This compromises the security model for actors as they can receive unauthorized invocations from linked capability providers. The problem has been patched in versions `0.52.2` and greater. There is no workaround and users are advised to upgrade to an unaffected version as soon as possible.

CVSS v3 6.3 MEDIUM
CVSS v2.0 5.5 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 4.2

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:N

Exploitability : 8.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/wasmCloud/wasmcloud-otp/commit/fd07262074b98b06106a31fd1957dc2319d438a5	Patch Third Party Advisory
https://github.com/wasmCloud/wasmcloud-otp/security/advisories/GHSA-2cmx-rr54-88g5	Third Party Advisory
https://github.com/wasmCloud/wasmcloud-otp/commit/fd07262074b98b06106a31fd1957dc2319d438a5	Patch Third Party Advisory
https://github.com/wasmCloud/wasmcloud-otp/security/advisories/GHSA-2cmx-rr54-88g5	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wasmcloud:host_runtime:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:45

Type	Values Removed	Values Added
CVSS	v2 : ~~5.5~~ v3 : ~~8.1~~	v2 : 5.5 v3 : 6.3
References	~~() https://github.com/wasmCloud/wasmcloud-otp/commit/fd07262074b98b06106a31fd1957dc2319d438a5 - Patch, Third Party Advisory~~	() https://github.com/wasmCloud/wasmcloud-otp/commit/fd07262074b98b06106a31fd1957dc2319d438a5 - Patch, Third Party Advisory
References	~~() https://github.com/wasmCloud/wasmcloud-otp/security/advisories/GHSA-2cmx-rr54-88g5 - Third Party Advisory~~	() https://github.com/wasmCloud/wasmcloud-otp/security/advisories/GHSA-2cmx-rr54-88g5 - Third Party Advisory

24 Jul 2023, 13:52

Type	Values Removed	Values Added
CWE	~~CWE-863~~	CWE-862

Information

Published : 2022-01-21 23:15

Updated : 2024-11-21 06:45

NVD link : CVE-2022-21707

Mitre link : CVE-2022-21707

CVE.ORG link : CVE-2022-21707

JSON object : View

Products Affected

wasmcloud

host_runtime

CWE

CWE-863

Incorrect Authorization

CWE-862

Missing Authorization

6.3 /10

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.5 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2022-21707

6.3^/10

5.5^/10

Attach tags to `CVE-2022-21707`